feat: add support for Bun lockfile (#4625 )

--------- Signed-off-by: Yoonho Hann <hnnynh125@gmail.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
fix: local version identifiers in python requirements parsing (#4959 )
2026-06-10 14:28:24 +02:00 · 2026-06-09 13:22:43 -04:00 · 2026-06-08 11:12:47 -04:00 · 2026-06-08 10:07:15 -04:00 · 2026-06-07 13:28:18 -04:00 · 2026-06-05 13:55:57 +00:00
310 changed files with 10931 additions and 2306 deletions
--- a/.binny.yaml
+++ b/.binny.yaml
@ -1,67 +1,10 @@
 # only pull in version updates that were released more than a week ago (low-pass filter for quickly-retracted releases)
 cooldown: 7d
-
+# Most tools (binny, chronicle, cosign, golangci-lint, goreleaser, gosimports,
 # bouncer, quill, syft, task, gh) are inherited from anchore/go-make's embedded
 # .binny.yaml — see https://github.com/anchore/go-make. Only syft-specific tools
 # or version overrides should live here.
 tools:
  ## internal tools ############################################################################
  # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
  - name: binny
    version:
      want: v0.13.0
    method: github-release
    with:
      repo: anchore/binny
  # used to produce SBOMs during release
  - name: syft
    version:
      want: v1.42.3
    method: github-release
    with:
      repo: anchore/syft
  # used to sign mac binaries at release
  - name: quill
    version:
      want: v0.7.1
    method: github-release
    with:
      repo: anchore/quill
  # used at release to generate the changelog
  - name: chronicle
    version:
      want: v0.8.0
    method: github-release
    with:
      repo: anchore/chronicle
  ## external tools ############################################################################
  # used for linting
  - name: golangci-lint
    version:
      want: v2.11.4
    method: github-release
    with:
      repo: golangci/golangci-lint
  # used for showing the changelog at release
  - name: glow
    version:
      want: v2.1.1
    method: github-release
    with:
      repo: charmbracelet/glow
  # used for signing the checksums file at release
  - name: cosign
    version:
      want: v3.0.5
    method: github-release
    with:
      repo: sigstore/cosign
  # used in integration tests to verify JSON schemas
  - name: yajsv
    version:
@ -70,58 +13,18 @@ tools:
    with:
      repo: neilpa/yajsv
  # used to release all artifacts
  - name: goreleaser
    version:
      want: v2.15.2
    method: github-release
    with:
      repo: goreleaser/goreleaser
  # used for organizing imports during static analysis
  - name: gosimports
    version:
      want: v0.3.8
    method: github-release
    with:
      repo: rinchsan/gosimports
  # used during static analysis for license compliance
  - name: bouncer
    version:
      want: v0.4.0
    method: github-release
    with:
      repo: wagoodman/go-bouncer
  # used for running all local and CI tasks
  - name: task
    version:
      want: v3.49.1
    method: github-release
    with:
      repo: go-task/task
  # used for triggering a release
  - name: gh
    version:
      want: v2.89.0
    method: github-release
    with:
      repo: cli/cli
  # used to upload test fixture cache
  - name: oras
    version:
-      want: v1.3.1
+      want: v1.3.2
    method: github-release
    with:
      repo: oras-project/oras
-  # used to upload test fixture cache
+  # used to parse JSON/YAML annotations on the fixture cache image
  - name: yq
    version:
-      want: v4.52.5
+      want: v4.53.2
    method: github-release
    with:
      repo: mikefarah/yq
--- a/.github/actions/bootstrap/action.yaml
+++ b/.github/actions/bootstrap/action.yaml
@ -1,26 +1,27 @@
 name: "Bootstrap"
 description: "Bootstrap all syft tools and dependencies on top of go-make's setup action"
 # This action is a thin wrapper around anchore/go-make/.github/actions/setup which
 # already handles checkout, setup-go, restore-only build/mod cache, and tool cache.
 # We add the syft-specific extras here: apt packages and the test fixture cache.
 description: "Bootstrap all tools and dependencies"
 inputs:
  go-version:
-    description: "Go version to install"
+    description: "Go version to install (passed to go-make/setup)"
    required: true
-    default: "1.26.x"
+    default: "1.26.2"
-  go-dependencies:
+  cache-key-prefix:
-    description: "Download go dependencies"
+    description: "Prefix all cache keys with this value (passed to go-make/setup)"
    required: true
    default: "v1"
  cache-enabled:
    description: "Enable build/mod and tool caching (passed to go-make/setup)"
    required: true
    default: "true"
  cache-key-prefix:
    description: "Prefix all cache keys with this value"
    required: true
    default: "53ac821810"
  download-test-fixture-cache:
    description: "Download test fixture cache from OCI and github actions"
    required: true
    default: "false"
  tools:
    description: "whether to install tools"
    default: "true"
  bootstrap-apt-packages:
    description: "Space delimited list of tools to install via apt"
    default: "libxml2-utils"
@ -28,33 +29,16 @@ inputs:
 runs:
  using: "composite"
  steps:
-    # note: go mod and build is automatically cached on default with v4+
+    - name: Setup go + go-make tooling
-    - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      uses: anchore/go-make/.github/actions/setup@9de27be11ed73e2f9d5406a836a492b7d8aa1225 # v0.5.0
      if: inputs.go-version != ''
      with:
        go-version: ${{ inputs.go-version }}
-        check-latest: true
+        cache-key-prefix: ${{ inputs.cache-key-prefix }}
        cache-enabled: ${{ inputs.cache-enabled }}
-    - name: Restore tool cache
+    - name: Install binny-managed tools
      if: inputs.tools == 'true'
      id: tool-cache
      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
      with:
        path: ${{ github.workspace }}/.tool
        key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('.binny.yaml') }}
    - name: Install project tools
      shell: bash
-      if: inputs.tools == 'true'
+      run: make binny:install
      run: |
        make tools
        .tool/binny list
        .tool/binny check
    - name: Install go dependencies
      if: inputs.go-dependencies == 'true'
      shell: bash
      run: make ci-bootstrap-go
    - name: Install apt packages
      if: inputs.bootstrap-apt-packages != ''
@ -65,9 +49,18 @@ runs:
        IFS=' ' read -ra packages <<< "$APT_PACKAGES"
        DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y "${packages[@]}"
    # ORAS cache: restore-only on non-default branches / forks
    - name: Restore ORAS cache from github actions
-      if: inputs.download-test-fixture-cache == 'true'
+      if: ${{ inputs.download-test-fixture-cache == 'true' && (github.ref != format('refs/heads/{0}', github.event.repository.default_branch) || github.event.repository.fork == true) }}
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
      with:
        path: ${{ github.workspace }}/.tmp/oras-cache
        key: ${{ inputs.cache-key-prefix }}-oras-cache
    # ORAS cache: restore + save on the default branch of the canonical repo only.
    - name: Restore and save ORAS cache from github actions
      if: ${{ inputs.download-test-fixture-cache == 'true' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && github.event.repository.fork == false }}
      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
      with:
        path: ${{ github.workspace }}/.tmp/oras-cache
        key: ${{ inputs.cache-key-prefix }}-oras-cache
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -14,7 +14,9 @@ version: 2
 updates:
  - package-ecosystem: gomod
-    directory: "/"
+    directories:
      - "/"
      - "/.make"
    cooldown:
      default-days: 7
    schedule:
--- a/.github/scripts/ci-check.sh
+++ b/.github/scripts/ci-check.sh
@ -1,11 +0,0 @@
 #!/usr/bin/env bash
 red=$(tput setaf 1)
 bold=$(tput bold)
 normal=$(tput sgr0)
 # assert we are running in CI (or die!)
 if [[ -z "$CI" ]]; then
    echo "${bold}${red}This step should ONLY be run in CI. Exiting...${normal}"
    exit 1
 fi
--- a/.github/scripts/coverage.py
+++ b/.github/scripts/coverage.py
@ -1,36 +0,0 @@
 #!/usr/bin/env python3
 import subprocess
 import sys
 import shlex
 class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKCYAN = '\033[96m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'
 if len(sys.argv) < 3:
    print("Usage: coverage.py [threshold] [go-coverage-report]")
    sys.exit(1)
 threshold = float(sys.argv[1])
 report = sys.argv[2]
 args = shlex.split(f"go tool cover -func {report}")
 p = subprocess.run(args, capture_output=True, text=True)
 percent_coverage = float(p.stdout.splitlines()[-1].split()[-1].replace("%", ""))
 print(f"{bcolors.BOLD}Coverage: {percent_coverage}%{bcolors.ENDC}")
 if percent_coverage < threshold:
    print(f"{bcolors.BOLD}{bcolors.FAIL}Coverage below threshold of {threshold}%{bcolors.ENDC}")
    sys.exit(1)
--- a/.github/scripts/find_cache_paths.py
+++ b/.github/scripts/find_cache_paths.py
@ -1,35 +1,45 @@
 #!/usr/bin/env python3
 from __future__ import annotations
 import os
 import glob
 import sys
 import json
 import hashlib
-
+import json
 import os
 import sys
 IGNORED_PREFIXES = []
 def find_fingerprints_and_check_dirs(base_dir):
-    all_fingerprints = set(glob.glob(os.path.join(base_dir, '**', 'test*', '**', '*.fingerprint'), recursive=True))
+    all_fingerprints = set(
        glob.glob(
            os.path.join(base_dir, "**", "test*", "**", "*.fingerprint"), recursive=True
        )
    )
-    all_fingerprints = {os.path.relpath(fp) for fp in all_fingerprints
+    all_fingerprints = {
-                        if not any(fp.startswith(prefix) for prefix in IGNORED_PREFIXES)}
+        os.path.relpath(fp)
        for fp in all_fingerprints
        if not any(fp.startswith(prefix) for prefix in IGNORED_PREFIXES)
    }
    if not all_fingerprints:
        show("No .fingerprint files or cache directories found.")
        exit(1)
-    missing_content = []
+    orphan_fingerprints = []
    empty_content = []
    valid_paths = set()
    fingerprint_contents = []
    for fingerprint in all_fingerprints:
-        path = fingerprint.replace('.fingerprint', '')
+        path = fingerprint.replace(".fingerprint", "")
        if not os.path.exists(path):
-            missing_content.append(path)
+            # paired content path is entirely missing — the .fingerprint is likely
            # leftover from a moved/deleted source (testdata trees are git-ignored,
            # so they persist locally across rename refactors)
            orphan_fingerprints.append(fingerprint)
            continue
        if not os.path.isdir(path):
@ -39,13 +49,13 @@ def find_fingerprints_and_check_dirs(base_dir):
        if os.listdir(path):
            valid_paths.add(path)
        else:
-            missing_content.append(path)
+            empty_content.append(path)
-        with open(fingerprint, 'r') as f:
+        with open(fingerprint, "r") as f:
            content = f.read().strip()
            fingerprint_contents.append((fingerprint, content))
-    return sorted(valid_paths), missing_content, fingerprint_contents
+    return sorted(valid_paths), empty_content, orphan_fingerprints, fingerprint_contents
 def parse_fingerprint_contents(fingerprint_content):
@ -59,7 +69,9 @@ def parse_fingerprint_contents(fingerprint_content):
 def calculate_sha256(fingerprint_contents):
    sorted_fingerprint_contents = sorted(fingerprint_contents, key=lambda x: x[0])
-    concatenated_contents = ''.join(content for _, content in sorted_fingerprint_contents)
+    concatenated_contents = "".join(
        content for _, content in sorted_fingerprint_contents
    )
    sha256_hash = hashlib.sha256(concatenated_contents.encode()).hexdigest()
@ -68,7 +80,7 @@ def calculate_sha256(fingerprint_contents):
 def calculate_file_sha256(file_path):
    sha256_hash = hashlib.sha256()
-    with open(file_path, 'rb') as f:
+    with open(file_path, "rb") as f:
        for byte_block in iter(lambda: f.read(4096), b""):
            sha256_hash.update(byte_block)
    return sha256_hash.hexdigest()
@ -79,17 +91,28 @@ def show(*s: str):
 def main(file_path: str | None):
-    base_dir = '.'
+    base_dir = "."
-    valid_paths, missing_content, fingerprint_contents = find_fingerprints_and_check_dirs(base_dir)
+    valid_paths, empty_content, orphan_fingerprints, fingerprint_contents = (
        find_fingerprints_and_check_dirs(base_dir)
    )
-    if missing_content:
+    if empty_content:
-        show("The following paths are missing or have no content, but have corresponding .fingerprint files:")
+        show(
-        for path in sorted(missing_content):
+            "The following paths exist but are empty, and have corresponding .fingerprint files:"
        )
        for path in sorted(empty_content):
            show(f"- {path}")
        # when adding new cache directories there is a time where it is not possible to have this directory without
        # running the tests first... but this step is a prerequisite for running the tests. We should not block on this.
-        # show("Please ensure these paths exist and have content if they are directories.")
+
-        # exit(1)
+    if orphan_fingerprints:
        show(
            "The following .fingerprint files reference paths that no longer exist "
            "(likely leftover from a moved/deleted cataloger — safe to delete, "
            "or run `task prune-orphan-fingerprints`):"
        )
        for fp in sorted(orphan_fingerprints):
            show(f"- {fp}")
    sha256_hash = calculate_sha256(fingerprint_contents)
@ -101,30 +124,24 @@ def main(file_path: str | None):
                file_digest = calculate_file_sha256(fingerprint_file)
                # Parse the fingerprint file to get the digest/path tuples
-                with open(fingerprint_file, 'r') as f:
+                with open(fingerprint_file, "r") as f:
                    fingerprint_content = f.read().strip()
                    input_map = parse_fingerprint_contents(fingerprint_content)
-                paths_with_digests.append({
+                paths_with_digests.append(
-                    "path": path,
+                    {"path": path, "digest": file_digest, "input": input_map}
-                    "digest": file_digest,
+                )
                    "input": input_map
                })
        except Exception as e:
            show(f"Error processing {fingerprint_file}: {e}")
            raise e
-
+    output = {"digest": sha256_hash, "paths": paths_with_digests}
    output = {
        "digest": sha256_hash,
        "paths": paths_with_digests
    }
    content = json.dumps(output, indent=2, sort_keys=True)
    if file_path:
-        with open(file_path, 'w') as f:
+        with open(file_path, "w") as f:
            f.write(content)
    print(content)
--- a/.github/scripts/go-mod-tidy-check.sh
+++ b/.github/scripts/go-mod-tidy-check.sh
@ -1,30 +0,0 @@
 #!/usr/bin/env bash
 set -eu
 ORIGINAL_STATE_DIR=$(mktemp -d "TEMP-original-state-XXXXXXXXX")
 TIDY_STATE_DIR=$(mktemp -d "TEMP-tidy-state-XXXXXXXXX")
 trap "cp -p ${ORIGINAL_STATE_DIR}/* ./ && git update-index -q --refresh && rm -fR ${ORIGINAL_STATE_DIR} ${TIDY_STATE_DIR}" EXIT
 # capturing original state of files...
 cp go.mod go.sum "${ORIGINAL_STATE_DIR}"
 # capturing state of go.mod and go.sum after running go mod tidy...
 go mod tidy
 cp go.mod go.sum "${TIDY_STATE_DIR}"
 set +e
 # detect difference between the git HEAD state and the go mod tidy state
 DIFF_MOD=$(diff -u "${ORIGINAL_STATE_DIR}/go.mod" "${TIDY_STATE_DIR}/go.mod")
 DIFF_SUM=$(diff -u "${ORIGINAL_STATE_DIR}/go.sum" "${TIDY_STATE_DIR}/go.sum")
 if [[ -n "${DIFF_MOD}" || -n "${DIFF_SUM}" ]]; then
    echo "go.mod diff:"
    echo "${DIFF_MOD}"
    echo "go.sum diff:"
    echo "${DIFF_SUM}"
    echo ""
    printf "FAILED! go.mod and/or go.sum are NOT tidy; please run 'go mod tidy'.\n\n"
    exit 1
 fi
--- a/.github/scripts/prune_orphan_fingerprints.py
+++ b/.github/scripts/prune_orphan_fingerprints.py
@ -0,0 +1,102 @@
 #!/usr/bin/env python3
 """
 Remove orphan *.fingerprint files left behind by moved/deleted catalogers.
 A fingerprint is considered orphaned when:
  1. its paired content path (the fingerprint path with `.fingerprint` stripped)
     does not exist, AND
  2. the nearest ancestor `testdata/` directory has no `Makefile` claiming
     responsibility for generating that path.
 The second condition is the safety check: if there is a Makefile, the
 fingerprint is "live" and might just be waiting for fixtures to be built —
 leave it alone. Without a Makefile, nothing in-repo will ever regenerate
 the content, so the fingerprint is dead weight that triggers spurious
 "missing path" warnings.
 Empty parent directories are also pruned after removing the fingerprint.
 Use --dry-run to preview without deleting.
 """
 from __future__ import annotations
 import argparse
 import glob
 import os
 import sys
 def find_ancestor_testdata(path: str) -> str | None:
    d = os.path.dirname(path)
    while d and d not in (".", os.sep):
        if os.path.basename(d) == "testdata":
            return d
        d = os.path.dirname(d)
    return None
 def is_orphan(fingerprint: str) -> bool:
    paired = fingerprint[: -len(".fingerprint")]
    if os.path.exists(paired):
        return False
    testdata_dir = find_ancestor_testdata(fingerprint)
    if testdata_dir and os.path.isfile(os.path.join(testdata_dir, "Makefile")):
        # a Makefile exists that may regenerate this — not safe to prune
        return False
    return True
 def prune_empty_parents(start: str, stop_at: str = ".") -> list[str]:
    removed = []
    d = os.path.dirname(start)
    stop_at = os.path.abspath(stop_at)
    while d and os.path.abspath(d) != stop_at:
        try:
            if not os.listdir(d):
                os.rmdir(d)
                removed.append(d)
                d = os.path.dirname(d)
            else:
                break
        except OSError:
            break
    return removed
 def main() -> int:
    parser = argparse.ArgumentParser(description=__doc__)
    parser.add_argument(
        "--dry-run",
        action="store_true",
        help="Show what would be removed without deleting anything",
    )
    args = parser.parse_args()
    all_fingerprints = glob.glob("**/test*/**/*.fingerprint", recursive=True)
    orphans = sorted(fp for fp in all_fingerprints if is_orphan(fp))
    if not orphans:
        print("no orphan fingerprints found")
        return 0
    verb = "would remove" if args.dry_run else "removing"
    print(f"{verb} {len(orphans)} orphan fingerprint(s):")
    for fp in orphans:
        print(f"- {fp}")
        if args.dry_run:
            continue
        try:
            os.remove(fp)
        except OSError as e:
            print(f"  ! failed to remove: {e}", file=sys.stderr)
            continue
        for d in prune_empty_parents(fp):
            print(f"  (also removed empty dir {d})")
    return 0
 if __name__ == "__main__":
    sys.exit(main())
--- a/.github/scripts/trigger-release.sh
+++ b/.github/scripts/trigger-release.sh
@ -1,57 +0,0 @@
 #!/usr/bin/env bash
 set -eu
 bold=$(tput bold)
 normal=$(tput sgr0)
 GH_CLI=.tool/gh
 if ! [ -x "$(command -v $GH_CLI)" ]; then
    echo "The GitHub CLI could not be found. run: make bootstrap"
    exit 1
 fi
 $GH_CLI auth status
 # set the default repo in cases where multiple remotes are defined
 $GH_CLI repo set-default anchore/syft
 export GITHUB_TOKEN="${GITHUB_TOKEN-"$($GH_CLI auth token)"}"
 # we need all of the git state to determine the next version. Since tagging is done by
 # the release pipeline it is possible to not have all of the tags from previous releases.
 git fetch --tags
 # populates the CHANGELOG.md and VERSION files
 echo "${bold}Generating changelog...${normal}"
 make changelog 2> /dev/null
 NEXT_VERSION=$(cat VERSION)
 if [[ "$NEXT_VERSION" == "" ||  "${NEXT_VERSION}" == "(Unreleased)" ]]; then
    echo "Could not determine the next version to release. Exiting..."
    exit 1
 fi
 while true; do
    read -p "${bold}Do you want to trigger a release for version '${NEXT_VERSION}'?${normal} [y/n] " yn
    case $yn in
        [Yy]* ) echo; break;;
        [Nn]* ) echo; echo "Cancelling release..."; exit;;
        * ) echo "Please answer yes or no.";;
    esac
 done
 echo "${bold}Kicking off release for ${NEXT_VERSION}${normal}..."
 echo
 $GH_CLI workflow run release.yaml -f version=${NEXT_VERSION}
 echo
 echo "${bold}Waiting for release to start...${normal}"
 sleep 10
 set +e
 echo "${bold}Head to the release workflow to monitor the release:${normal} $($GH_CLI run list --workflow=release.yaml --limit=1 --json url --jq '.[].url')"
 id=$($GH_CLI run list --workflow=release.yaml --limit=1 --json databaseId --jq '.[].databaseId')
 $GH_CLI run watch $id --exit-status || (echo ; echo "${bold}Logs of failed step:${normal}" && GH_PAGER="" $GH_CLI run view $id --log-failed)
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@ -1,6 +1,3 @@
 # CodeQL scans for security vulnerabilities and coding errors across all
 # languages in this repo. Results appear in the "Security" tab under
 # "Code scanning alerts" and are enforced by branch protection rules.
 name: "CodeQL"
 on:
@ -8,74 +5,17 @@ on:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  # Weekly scheduled scan catches newly disclosed vulnerabilities in
  # existing code, not just changes introduced by PRs.
  schedule:
    - cron: '38 11 * * 3'
 permissions: {}
 jobs:
  analyze:
-    name: Analyze (${{ matrix.language }})
+    name: Analyze
-    runs-on: ubuntu-latest
+    uses: anchore/workflows/.github/workflows/codeql.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
    permissions:
      # Required to upload SARIF results to the "Security" tab.
      security-events: write
      # Required to fetch internal or private CodeQL packs.
      packages: read
      # Only required for workflows in private repositories.
      actions: read
      contents: read
    strategy:
      fail-fast: false
      matrix:
        include:
          # GitHub Actions workflow linting — no build needed.
          - language: actions
            build-mode: none
          # Go uses "manual" build mode so we control exactly what gets
          # compiled. The default "autobuild" finds the Makefile and runs
          # the full CI pipeline (lint, test, snapshot release, etc.),
          # which is far more work than CodeQL needs. All it requires is
          # compiled Go source so it can build a type-resolved code graph
          # for analysis.
          - language: go
            build-mode: manual
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      # Pin the Go toolchain to whatever go.mod declares so CodeQL
      # analyzes with the same version the project actually uses.
      # Only runs for the Go matrix entry.
      - name: Setup Go
        if: matrix.language == 'go'
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: go.mod
      - name: Initialize CodeQL
        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          languages: ${{ matrix.language }}
          build-mode: ${{ matrix.build-mode }}
      # Minimal build for Go: compile all packages so CodeQL gets a full
      # type-resolved code graph for analysis.
      - name: Build (Go)
        if: matrix.build-mode == 'manual'
        shell: bash
        run: go build ./...
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          # The category tag lets GitHub associate SARIF results with the
          # correct language when branch protection checks for required
          # code scanning results.
          category: "/language:${{matrix.language}}"
--- a/.github/workflows/dependabot-automation.yaml
+++ b/.github/workflows/dependabot-automation.yaml
@ -1,10 +0,0 @@
 name: Dependabot Automation
 on:
  pull_request:
 permissions:
  pull-requests: write
 jobs:
  run:
    uses: anchore/workflows/.github/workflows/dependabot-automation.yaml@main
--- a/.github/workflows/detect-schema-changes.yaml
+++ b/.github/workflows/detect-schema-changes.yaml
@ -1,64 +0,0 @@
 # Note: this workflow has been disabled manually in the UI and will be replaced in short order
 name: "Detect schema changes"
 on:
  # IMPORTANT! This workflow is triggered by the `pull_request_target` event
  # which means that forked PRs will run with access secrets from the repo
  # it's forked from (the "target" repo).
  #
  # For this reason we only NEVER checkout the code from the pull request
  # (e.g. "ref: ${{ github.event.pull_request.head.sha }}") to prevent
  # accidentally running potentially untrusted code.
  #
  # By default the checkout will be:
  #   - GITHUB_SHA: Last commit on the PR base branch
  #   - GITHUB_REF: PR base branch
  #
  # ...unlike a typical PR where:
  #   - GITHUB_SHA: Last merge commit on the GITHUB_REF branch
  #   - GITHUB_REF: PR merge branch refs/pull/:prNumber/merge
  pull_request_target:
 env:
  # note: this is used within hashFiles() so must be within the GITHUB_WORKSPACE path (or will silently fail)
  CI_COMMENT_FILE: .tmp/labeler-comment.txt
  # needs to be any string to uniquely identify the comment on a PR across multiple runs
  COMMENT_HEADER: "label-commentary"
 jobs:
  label:
    name: "Label changes"
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      pull-requests: write
      issues: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
          repository: anchore/syft # IMPORTANT! An additional protection that this is checking out code from the expected repository 
          ref: main # IMPORTANT!  It is CRITICAL that this only ever considers the code from main and NEVER EVER from a fork.
      - run: python .github/scripts/labeler.py
        env:
          # note: this token has write access to the repo
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITHUB_PR_NUMBER: ${{ github.event.number }}
      - name: Delete existing comment
        if: ${{ hashFiles( env.CI_COMMENT_FILE ) == '' }}
        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3.0.2
        with:
          header: ${{ env.COMMENT_HEADER }}
          hide: true
          hide_classify: "OUTDATED"
      - name: Add comment
        if: ${{ hashFiles( env.CI_COMMENT_FILE ) != '' }}
        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3.0.2
        with:
          header: ${{ env.COMMENT_HEADER }}
          path: ${{ env.CI_COMMENT_FILE }}
--- a/.github/workflows/oss-project-board-add.yaml
+++ b/.github/workflows/oss-project-board-add.yaml
@ -1,18 +0,0 @@
 name: Add to OSS board
 permissions:
  contents: read
 on:
  issues:
    types:
      - opened
      - reopened
      - transferred
      - labeled
 jobs:
  run:
    uses: "anchore/workflows/.github/workflows/oss-project-board-add.yaml@main"
    secrets:
      token: ${{ secrets.OSS_PROJECT_GH_TOKEN }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -1,7 +1,11 @@
 name: "Release"
-permissions:
+permissions: {}
-  contents: read
+
 # there should never be two releases in progress at the same time
 concurrency:
  group: release
  cancel-in-progress: false
 on:
  workflow_dispatch:
@ -19,116 +23,30 @@ on:
          - "install-script-only"
 jobs:
-  quality-gate:
+  version-available:
    environment: release
    if: ${{ github.event.inputs.phase == 'all' }}
-    runs-on: ubuntu-24.04
+    permissions:
-    steps:
+      contents: read # required for fetching tags
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+    uses: anchore/workflows/.github/workflows/check-version-available.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
    with:
-          persist-credentials: false
+      version: ${{ github.event.inputs.version }}
-      - name: Bootstrap environment
+  check-gate:
-        uses: ./.github/actions/bootstrap
+    if: ${{ github.event.inputs.phase == 'all' }}
-
+    permissions:
-      - name: Validate Apple notarization credentials
+      contents: read
-        run: .tool/quill submission list
+      checks: read # required for getting the status of specific check names
-        env:
+    uses: anchore/workflows/.github/workflows/check-gate.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
          QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
          QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
          QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
      - name: Check if running on main
        if: github.ref != 'refs/heads/main'
        # we are using the following flag when running `cosign blob-verify` for checksum signature verification:
        #   --certificate-identity-regexp "https://github.com/anchore/.github/workflows/release.yaml@refs/heads/main"
        # if we are not on the main branch, the signature will not be verifiable since the suffix requires the main branch
        # at the time of when the OIDC token was issued on the Github Actions runner.
        run: echo "This can only be run on the main branch otherwise releases produced will not be verifiable with cosign" && exit 1
      - name: Check if tag already exists
        # note: this will fail if the tag already exists
        run: |
          [[ "$VERSION" == v* ]] || (echo "version '$VERSION' does not have a 'v' prefix" && exit 1)
          git tag "$VERSION"
        env:
          VERSION: ${{ github.event.inputs.version }}
      - name: Check static analysis results
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
        id: static-analysis
    with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+      # these are checks that should be run on pull-request and merges to main.
-          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
+      # we do NOT want to kick off a release if these have not been verified on main.
-          checkName: "Static analysis"
+      # Please see the validations.yaml workflow for the names that should be used here.
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+      checks: '["Acceptance tests (Linux)", "Acceptance tests (Mac)", "Build snapshot artifacts", "CLI tests (Linux)", "Integration tests", "Static analysis", "Unit tests"]'
      - name: Check unit test results
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
        id: unit
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Unit tests"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
      - name: Check integration test results
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
        id: integration
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Integration tests"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
      - name: Check acceptance test results (linux)
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
        id: acceptance-linux
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Acceptance tests (Linux)"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
      - name: Check acceptance test results (mac)
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
        id: acceptance-mac
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Acceptance tests (Mac)"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
      - name: Check cli test results (linux)
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
        id: cli-linux
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "CLI tests (Linux)"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
      - name: Quality gate
        if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'
        env:
          STATIC_ANALYSIS_STATUS: ${{ steps.static-analysis.conclusion }}
          UNIT_TEST_STATUS: ${{ steps.unit.outputs.conclusion }}
          INTEGRATION_TEST_STATUS: ${{ steps.integration.outputs.conclusion }}
          ACCEPTANCE_LINUX_STATUS: ${{ steps.acceptance-linux.outputs.conclusion }}
          ACCEPTANCE_MAC_STATUS: ${{ steps.acceptance-mac.outputs.conclusion }}
          CLI_LINUX_STATUS: ${{ steps.cli-linux.outputs.conclusion }}
        run: |
          echo "Static Analysis Status: $STATIC_ANALYSIS_STATUS"
          echo "Unit Test Status: $UNIT_TEST_STATUS"
          echo "Integration Test Status: $INTEGRATION_TEST_STATUS"
          echo "Acceptance Test (Linux) Status: $ACCEPTANCE_LINUX_STATUS"
          echo "Acceptance Test (Mac) Status: $ACCEPTANCE_MAC_STATUS"
          echo "CLI Test (Linux) Status: $CLI_LINUX_STATUS"
          false
  release:
-    needs: [ quality-gate ]
+    needs: [check-gate, version-available]
    if: ${{ github.event.inputs.phase == 'all' }}
    environment: release
    # runs-on.com: compute instances for parallel builds
    #   spot disabled: reliability for build workflows (used for releases too)
    #   goreleaser uses parallelism of 12, so we need more CPUs
@ -136,10 +54,9 @@ jobs:
    #   tmpfs: faster io-intensive workflows
    runs-on: runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=s3-cache+tmpfs
    permissions:
-      contents: write
+      contents: write # required for creating the GitHub release and pushing the version tag
-      packages: write
+      packages: write # required for publishing release artifacts to GitHub packages
-      # required for goreleaser signs section with cosign
+      id-token: write # required for keyless signing (cosign/sigstore OIDC)
      id-token: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
@ -150,31 +67,24 @@ jobs:
        uses: ./.github/actions/bootstrap
      - name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  #v4.0.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #v4.2.0
        with:
          username: ${{ secrets.ANCHOREOSSWRITE_DH_USERNAME }}
          password: ${{ secrets.ANCHOREOSSWRITE_DH_PAT }}
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  #v4.0.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Tag release
        run: |
          git config --global user.name "anchoreci"
          git config --global user.email "anchoreci@users.noreply.github.com"
          git tag -a "$VERSION" -m "Release $VERSION"
          git push origin --tags
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          VERSION: ${{ github.event.inputs.version }}
      - name: Build & publish release artifacts
        run: make ci-release
        env:
          # used for pushing tags
          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
          RELEASE_VERSION: ${{ github.event.inputs.version }}
          # for mac signing and notarization...
          QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }}
          QUILL_SIGN_PASSWORD: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_PASS }}
@ -186,36 +96,18 @@ jobs:
          # for updating brew formula in anchore/homebrew-syft
          GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }}
-      - uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 #v0.23.0
+      - uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 #v0.24.0
        continue-on-error: true
        with:
          file: go.mod
          artifact-name: sbom.spdx.json
      - name: Notify Slack of new release
        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 #v3.0.1
        continue-on-error: true
        with:
          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
          webhook-type: incoming-webhook
          payload: |
            text: "A new Syft release has been published: https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}"
            blocks:
              - type: section
                text:
                  type: mrkdwn
                  text: |
                    *A new Syft release has been published* :rocket:
                    • Release: <https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}|${{ github.event.inputs.version }}>
                    • Repo: `${{ github.repository }}`
                    • Workflow: `${{ github.workflow }}`
                    • Event: `${{ github.event_name }}`
        if: ${{ success() }}
  release-install-script:
    needs: [release]
    if: ${{ always() && (needs.release.result == 'success' || github.event.inputs.phase == 'install-script-only') }}
-    uses: "anchore/workflows/.github/workflows/release-install-script.yaml@main"
+    permissions:
      contents: read # required for the reusable workflow to check out the repo and publish the install script
    uses: anchore/workflows/.github/workflows/release-install-script.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
    with:
      tag: ${{ github.event.inputs.version }}
    secrets:
--- a/.github/workflows/remove-awaiting-response-label.yaml
+++ b/.github/workflows/remove-awaiting-response-label.yaml
@ -1,15 +0,0 @@
 name: "Manage Awaiting Response Label"
 on:
  issue_comment:
    types: [created]
 jobs:
  run:
    permissions:
      contents: read
      issues: write
      pull-requests: write
    uses: "anchore/workflows/.github/workflows/remove-awaiting-response-label.yaml@main"
    secrets:
      token: ${{ secrets.OSS_PROJECT_GH_TOKEN }}
--- a/.github/workflows/validate-github-actions.yaml
+++ b/.github/workflows/validate-github-actions.yaml
@ -10,8 +10,7 @@ on:
      - '.github/workflows/**'
      - '.github/actions/**'
-permissions:
+permissions: {}
  contents: read
 jobs:
  zizmor:
@ -26,7 +25,7 @@ jobs:
          persist-credentials: false
      - name: "Run zizmor"
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
        with:
          # there is a pass/fail gate as a repo ruleset (if there is no ruleset configured then the action will pass by default)
          advanced-security: true
--- a/.github/workflows/validations.yaml
+++ b/.github/workflows/validations.yaml
@ -13,8 +13,7 @@ on:
    branches:
      - main
-permissions:
+permissions: {}
  contents: read
 jobs:
  Static-Analysis:
@ -22,9 +21,12 @@ jobs:
    name: "Static analysis"
    # runs-on.com: memory & general purpose instances for testing
    #   spot enabled: ok to interrupt non-production workloads
    #   s3-cache: faster actions cache
    #   tmpfs: faster io-intensive workflows
-    runs-on: &test-runner "runs-on=${{ github.run_id }}/cpu=4+8/ram=32+128/family=r5+r6+r7+r8+m4+m5+m6+m7+m8/spot=price-capacity-optimized/extras=s3-cache+tmpfs"
+    #   note: s3-cache intentionally omitted -- PR runs are untrusted and must not write to the
    #   shared cache backend that the trusted release workflow reads from (cache poisoning).
    runs-on: &test-runner "runs-on=${{ github.run_id }}/cpu=4+8/ram=32+128/family=r5+r6+r7+r8+m4+m5+m6+m7+m8/spot=price-capacity-optimized/extras=tmpfs"
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
@ -45,6 +47,8 @@ jobs:
    # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
    name: "Unit tests"
    runs-on: *test-runner
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
@ -65,6 +69,8 @@ jobs:
    # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
    name: "Integration tests"
    runs-on: *test-runner
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
@ -86,13 +92,13 @@ jobs:
    # runs-on.com: compute instances for parallel builds
    #   spot disabled: reliability for build workflows (used for releases too)
    #   goreleaser uses parallelism of 12, so we need more CPUs
    #   s3-cache: faster actions cache
    #   tmpfs: faster io-intensive workflows
-    runs-on: "runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=s3-cache+tmpfs"
+    #   note: s3-cache intentionally omitted -- PR runs are untrusted and must not write to the
    #   shared cache backend that the trusted release workflow reads from (cache poisoning).
    runs-on: "runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=tmpfs"
    permissions:
      contents: read
    steps:
      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
      - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e  # v2.0.3
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
@ -109,7 +115,7 @@ jobs:
        run: make snapshot-smoke-test
      - name: Upload snapshot artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: snapshot
          path: snapshot/
@ -120,10 +126,9 @@ jobs:
    name: "Acceptance tests (Linux)"
    needs: [Build-Snapshot-Artifacts]
    runs-on: *test-runner
    permissions:
      contents: read
    steps:
      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
      - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e  # v2.0.3
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
@ -134,7 +139,7 @@ jobs:
          download-test-fixture-cache: true
      - name: Download snapshot artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 #v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
        with:
          name: snapshot
          path: snapshot
@ -162,9 +167,11 @@ jobs:
    needs: [Build-Snapshot-Artifacts]
    # note: macos runners aren't supported yet for runs-on managed runners.
    runs-on: macos-latest
    permissions:
      contents: read
    steps:
      - name: Install Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
@ -178,7 +185,7 @@ jobs:
          download-test-fixture-cache: true
      - name: Download snapshot artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 #v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
        with:
          name: snapshot
          path: snapshot
@ -197,10 +204,9 @@ jobs:
    name: "CLI tests (Linux)"
    needs: [Build-Snapshot-Artifacts]
    runs-on: *test-runner
    permissions:
      contents: read
    steps:
      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
      - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e  # v2.0.3
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
@ -211,7 +217,7 @@ jobs:
          download-test-fixture-cache: true
      - name: Download snapshot artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 #v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
        with:
          name: snapshot
          path: snapshot
--- a/.gitignore
+++ b/.gitignore
@ -3,6 +3,8 @@ go.work
 go.work.sum
 .tool-versions
 .python-version
 .mise.toml
 .env
 # app configuration
 /.syft.yaml
@ -20,6 +22,8 @@ bin/
 /generate
 /specs
 mise.toml
 .make/.make
 .conductor
 # changelog generation
 CHANGELOG.md
@ -76,5 +80,3 @@ cosign.pub
 __pycache__/
 *.py[cod]
 *$py.class
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -14,7 +14,7 @@ builds:
    dir: ./cmd/syft
    binary: syft
    goos: [linux]
-    goarch: [amd64, arm64, ppc64le, s390x]
+    goarch: [amd64, arm64, ppc64le, riscv64, s390x]
    mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}'
    ldflags: &build-ldflags |
      -w
@ -114,6 +114,20 @@ dockers:
      - "--build-arg=VCS_REF={{.FullCommit}}"
      - "--build-arg=VCS_URL={{.GitURL}}"
  - image_templates:
      - anchore/syft:{{.Tag}}-riscv64
      - ghcr.io/anchore/syft:{{.Tag}}-riscv64
    goarch: riscv64
    dockerfile: Dockerfile
    use: buildx
    build_flag_templates:
      - "--platform=linux/riscv64"
      - "--build-arg=DEBIAN_VERSION=13"
      - "--build-arg=BUILD_DATE={{.Date}}"
      - "--build-arg=BUILD_VERSION={{.Version}}"
      - "--build-arg=VCS_REF={{.FullCommit}}"
      - "--build-arg=VCS_URL={{.GitURL}}"
  - image_templates:
      - anchore/syft:{{.Tag}}-s390x
      - ghcr.io/anchore/syft:{{.Tag}}-s390x
@ -167,6 +181,20 @@ dockers:
      - "--build-arg=VCS_REF={{.FullCommit}}"
      - "--build-arg=VCS_URL={{.GitURL}}"
  - image_templates:
      - anchore/syft:{{.Tag}}-nonroot-riscv64
      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-riscv64
    goarch: riscv64
    dockerfile: Dockerfile.nonroot
    use: buildx
    build_flag_templates:
      - "--platform=linux/riscv64"
      - "--build-arg=DEBIAN_VERSION=13"
      - "--build-arg=BUILD_DATE={{.Date}}"
      - "--build-arg=BUILD_VERSION={{.Version}}"
      - "--build-arg=VCS_REF={{.FullCommit}}"
      - "--build-arg=VCS_URL={{.GitURL}}"
  - image_templates:
      - anchore/syft:{{.Tag}}-nonroot-s390x
      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x
@ -220,6 +248,20 @@ dockers:
      - "--build-arg=VCS_REF={{.FullCommit}}"
      - "--build-arg=VCS_URL={{.GitURL}}"
  - image_templates:
      - anchore/syft:{{.Tag}}-debug-riscv64
      - ghcr.io/anchore/syft:{{.Tag}}-debug-riscv64
    goarch: riscv64
    dockerfile: Dockerfile.debug
    use: buildx
    build_flag_templates:
      - "--platform=linux/riscv64"
      - "--build-arg=DEBIAN_VERSION=13"
      - "--build-arg=BUILD_DATE={{.Date}}"
      - "--build-arg=BUILD_VERSION={{.Version}}"
      - "--build-arg=VCS_REF={{.FullCommit}}"
      - "--build-arg=VCS_URL={{.GitURL}}"
  - image_templates:
      - anchore/syft:{{.Tag}}-debug-s390x
      - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x
@ -239,6 +281,7 @@ docker_manifests:
      - anchore/syft:{{.Tag}}-amd64
      - anchore/syft:{{.Tag}}-arm64v8
      - anchore/syft:{{.Tag}}-ppc64le
      - anchore/syft:{{.Tag}}-riscv64
      - anchore/syft:{{.Tag}}-s390x
  - name_template: ghcr.io/anchore/syft:latest
@ -246,6 +289,7 @@ docker_manifests:
      - ghcr.io/anchore/syft:{{.Tag}}-amd64
      - ghcr.io/anchore/syft:{{.Tag}}-arm64v8
      - ghcr.io/anchore/syft:{{.Tag}}-ppc64le
      - ghcr.io/anchore/syft:{{.Tag}}-riscv64
      - ghcr.io/anchore/syft:{{.Tag}}-s390x
  - name_template: anchore/syft:{{.Tag}}
@ -253,6 +297,7 @@ docker_manifests:
      - anchore/syft:{{.Tag}}-amd64
      - anchore/syft:{{.Tag}}-arm64v8
      - anchore/syft:{{.Tag}}-ppc64le
      - anchore/syft:{{.Tag}}-riscv64
      - anchore/syft:{{.Tag}}-s390x
  - name_template: ghcr.io/anchore/syft:{{.Tag}}
@ -260,6 +305,7 @@ docker_manifests:
      - ghcr.io/anchore/syft:{{.Tag}}-amd64
      - ghcr.io/anchore/syft:{{.Tag}}-arm64v8
      - ghcr.io/anchore/syft:{{.Tag}}-ppc64le
      - ghcr.io/anchore/syft:{{.Tag}}-riscv64
      - ghcr.io/anchore/syft:{{.Tag}}-s390x
  # nonroot images...
@ -268,6 +314,7 @@ docker_manifests:
      - anchore/syft:{{.Tag}}-nonroot-amd64
      - anchore/syft:{{.Tag}}-nonroot-arm64v8
      - anchore/syft:{{.Tag}}-nonroot-ppc64le
      - anchore/syft:{{.Tag}}-nonroot-riscv64
      - anchore/syft:{{.Tag}}-nonroot-s390x
  - name_template: ghcr.io/anchore/syft:nonroot
@ -275,6 +322,7 @@ docker_manifests:
      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64
      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8
      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le
      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-riscv64
      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x
  - name_template: anchore/syft:{{.Tag}}-nonroot
@ -282,6 +330,7 @@ docker_manifests:
      - anchore/syft:{{.Tag}}-nonroot-amd64
      - anchore/syft:{{.Tag}}-nonroot-arm64v8
      - anchore/syft:{{.Tag}}-nonroot-ppc64le
      - anchore/syft:{{.Tag}}-nonroot-riscv64
      - anchore/syft:{{.Tag}}-nonroot-s390x
  - name_template: ghcr.io/anchore/syft:{{.Tag}}-nonroot
@ -289,6 +338,7 @@ docker_manifests:
      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64
      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8
      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le
      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-riscv64
      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x
  # debug images...
@ -297,6 +347,7 @@ docker_manifests:
      - anchore/syft:{{.Tag}}-debug-amd64
      - anchore/syft:{{.Tag}}-debug-arm64v8
      - anchore/syft:{{.Tag}}-debug-ppc64le
      - anchore/syft:{{.Tag}}-debug-riscv64
      - anchore/syft:{{.Tag}}-debug-s390x
  - name_template: ghcr.io/anchore/syft:debug
@ -304,6 +355,7 @@ docker_manifests:
      - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64
      - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8
      - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le
      - ghcr.io/anchore/syft:{{.Tag}}-debug-riscv64
      - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x
  - name_template: anchore/syft:{{.Tag}}-debug
@ -311,6 +363,7 @@ docker_manifests:
      - anchore/syft:{{.Tag}}-debug-amd64
      - anchore/syft:{{.Tag}}-debug-arm64v8
      - anchore/syft:{{.Tag}}-debug-ppc64le
      - anchore/syft:{{.Tag}}-debug-riscv64
      - anchore/syft:{{.Tag}}-debug-s390x
  - name_template: ghcr.io/anchore/syft:{{.Tag}}-debug
@ -318,6 +371,7 @@ docker_manifests:
      - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64
      - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8
      - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le
      - ghcr.io/anchore/syft:{{.Tag}}-debug-riscv64
      - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x
 sboms:
--- a/.make/go.mod
+++ b/.make/go.mod
@ -0,0 +1,14 @@
 module github.com/anchore/syft/.make
 go 1.25.8
 require (
 	github.com/anchore/go-make v0.5.0
 	github.com/goccy/go-yaml v1.19.2
 )
 require (
 	github.com/bmatcuk/doublestar/v4 v4.10.0 // indirect
 	golang.org/x/mod v0.36.0 // indirect
 	golang.org/x/sys v0.44.0 // indirect
 )
--- a/.make/go.sum
+++ b/.make/go.sum
@ -0,0 +1,10 @@
 github.com/anchore/go-make v0.5.0 h1:VGlwqVhzowFb+9w/gaWUIid/YXvQZReBWKcj4LaZ3dM=
 github.com/anchore/go-make v0.5.0/go.mod h1:Nc/tkwQHW1d1Vi8+0rtS/vSrH6pxieaUQXLdrctn+8g=
 github.com/bmatcuk/doublestar/v4 v4.10.0 h1:zU9WiOla1YA122oLM6i4EXvGW62DvKZVxIe6TYWexEs=
 github.com/bmatcuk/doublestar/v4 v4.10.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
 golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
 golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
--- a/.make/main.go
+++ b/.make/main.go
@ -0,0 +1,209 @@
 package main
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"runtime"
 	"github.com/goccy/go-yaml"
 	. "github.com/anchore/go-make"
 	"github.com/anchore/go-make/file"
 	"github.com/anchore/go-make/git"
 	"github.com/anchore/go-make/lang"
 	"github.com/anchore/go-make/run"
 	"github.com/anchore/go-make/tasks/golint"
 	"github.com/anchore/go-make/tasks/goreleaser"
 	"github.com/anchore/go-make/tasks/gotest"
 )
 // taskfileDescriptions maps Taskfile.yaml task names to their `desc:` field.
 // Loaded at package init so wrap() can use Taskfile.yaml as the single source
 // of truth for wrapped-task descriptions.
 var taskfileDescriptions = mustReadTaskfileDescriptions()
 func main() {
 	Makefile(
 		// shared anchore tasks
 		golint.Tasks(),
 		goreleaser.Tasks(),
 		// unit tests: exclude packages under any test/ directory (matches the syft
 		// Taskfile's prior `grep -v` against test paths). Coverage threshold of 62%
 		// preserves the prior coverage gate that used to live in scripts/coverage.py.
 		gotest.Tasks(
 			gotest.Name("unit"),
 			gotest.ExcludeGlob("**/test/**"),
 			gotest.CoverageThreshold(62),
 		),
 		// integration tests: native go-make Task. The race-detector smoke against a
 		// real image stays bundled here (RunsOn integration) so `make integration`
 		// behaves like the Taskfile version did.
 		gotest.Tasks(
 			gotest.Name("integration"),
 			gotest.IncludeGlob("./cmd/syft/internal/test/integration/..."),
 			gotest.Verbose(),
 			gotest.NoCoverage(),
 		),
 		Task{
 			Name:        "integration:race-smoke",
 			Description: "exercise the CLI with the race detector",
 			RunsOn:      lang.List("integration"),
 			Run: func() {
 				Run("go run -race cmd/syft/main.go anchore/test_images:grype-quality-dotnet-69f15d2")
 			},
 		},
 		// cli tests: native go-make Task. Requires SYFT_BINARY_LOCATION pointing at
 		// an *absolute* path to the snapshot binary. Intentionally does NOT depend
 		// on snapshot: in CI we download a pre-built snapshot artifact and re-running
 		// goreleaser here would both burn ~10m and clobber the downloaded binary.
 		// Locally, the failure message tells you to run `make snapshot` first.
 		Task{
 			Name:        "cli",
 			Description: "Run CLI tests",
 			RunsOn:      lang.List("test"),
 			Run: func() {
 				bin := snapshotBinPath()
 				if !file.Exists(bin) {
 					panic(fmt.Sprintf("snapshot binary not found at %s; run `make snapshot` first", bin))
 				}
 				Log("testing binary: %s", bin)
 				Run(
 					"go test -count=1 -timeout=15m -v ./test/cli",
 					run.Env("SYFT_BINARY_LOCATION", bin),
 				)
 			},
 		},
 		// default validation pipeline (replaces Taskfile `default`/`pr-validations`/`validations`).
 		Task{
 			Name:         "default",
 			Description:  "Run all validation tasks",
 			Dependencies: Deps("static-analysis", "test", "install-test"),
 		},
 		// --- everything below is implemented in Taskfile.yaml and surfaced here
 		// via wrap(). Descriptions come from Taskfile.yaml (single source of truth).
 		// static analysis extras
 		wrap("check-json-schema-drift").RunOn("static-analysis"),
 		wrap("check-capability-drift"),
 		wrap("check-binary-fixture-size").RunOn("static-analysis"),
 		// test extras
 		wrap("validate-cyclonedx-schema").RunOn("test"),
 		wrap("test-utils").RunOn("test"),
 		wrap("check-docker-cache").RunOn("test"),
 		wrap("snapshot-smoke-test"),
 		// update commands
 		wrap("update-format-golden-files"),
 		// fixture cache plumbing (heavy ORAS logic, lives in Taskfile).
 		// refresh-fixtures hooks into "unit" so `make unit` triggers the
 		// stale-cache detection + download just like `task unit` did on main
 		// (its `deps: [tmpdir, fixtures]` is what kept the fixture cache fresh).
 		wrap("fingerprints"),
 		wrap("refresh-fixtures").RunOn("unit"),
 		wrap("fixtures"),
 		wrap("build-fixtures"),
 		wrap("download-test-fixture-cache"),
 		wrap("upload-test-fixture-cache"),
 		wrap("show-test-image-cache"),
 		// install-script tests (delegates to test/install/Makefile)
 		wrap("install-test"),
 		wrap("install-test-cache-save"),
 		wrap("install-test-cache-load"),
 		wrap("install-test-ci-mac"),
 		// compare tests
 		wrap("generate-compare-file"),
 		wrap("compare-mac"),
 		wrap("compare-linux"),
 		wrap("compare-test-deb-package-install"),
 		wrap("compare-test-rpm-package-install"),
 		// code/data generation (umbrella + per-target; each lives in Taskfile)
 		wrap("generate"),
 		wrap("generate-json-schema"),
 		wrap("generate-license-list"),
 		wrap("generate-cpe-dictionary-index"),
 		wrap("generate-capabilities"),
 		// cleanup (each hooks into go-make's built-in `clean` label)
 		wrap("clean-snapshot").RunOn("clean"),
 		wrap("clean-docker-cache").RunOn("clean"),
 		wrap("clean-oras-cache").RunOn("clean"),
 		wrap("clean-cache").RunOn("clean"),
 		wrap("clean-test-observations").RunOn("clean"),
 	)
 }
 // wrap creates a go-make Task that delegates execution to `task <name>`. The
 // task's description is pulled from Taskfile.yaml's `desc:` field — descriptions
 // for wrapped tasks must always live in Taskfile.yaml, never here.
 func wrap(name string) Task {
 	desc, ok := taskfileDescriptions[name]
 	if !ok || desc == "" {
 		// loud-fail at startup so missing descs can't sneak through review.
 		panic(fmt.Sprintf("Taskfile.yaml task %q is missing a `desc:` field; please add one", name))
 	}
 	return Task{
 		Name:        name,
 		Description: desc,
 		Run:         func() { Run("task " + name) },
 	}
 }
 // mustReadTaskfileDescriptions parses Taskfile.yaml at the repo root and returns
 // a map of task name -> desc. Runs at package init time so wrap() can use it.
 func mustReadTaskfileDescriptions() map[string]string {
 	root := git.Root()
 	if root == "" {
 		return nil
 	}
 	path := filepath.Join(root, "Taskfile.yaml")
 	data, err := os.ReadFile(path) //nolint:gosec // G304: path resolved from git.Root()
 	if err != nil {
 		return nil
 	}
 	var tf struct {
 		Tasks map[string]struct {
 			Desc    string   `yaml:"desc"`
 			Aliases []string `yaml:"aliases"`
 		} `yaml:"tasks"`
 	}
 	lang.Throw(yaml.Unmarshal(data, &tf))
 	out := make(map[string]string, len(tf.Tasks))
 	for name, t := range tf.Tasks {
 		out[name] = t.Desc
 		// aliases inherit the canonical task's description so wrap() can find them.
 		for _, alias := range t.Aliases {
 			out[alias] = t.Desc
 		}
 	}
 	return out
 }
 // snapshotBinPath replicates the SNAPSHOT_BIN computation from the prior Taskfile:
 // <repoRoot>/snapshot/<os>-build_<os>_<arch>/syft, where arch maps amd64->amd64_v1
 // and arm64->arm64_v8.0 to match goreleaser's per-target output directory naming.
 // Returns an absolute path: the cli tests' getSyftBinaryLocation contract requires
 // SYFT_BINARY_LOCATION to be absolute because subtests run with cmd.Dir = t.TempDir().
 func snapshotBinPath() string {
 	osName := runtime.GOOS
 	var arch string
 	switch runtime.GOARCH {
 	case "amd64":
 		arch = "amd64_v1"
 	case "arm64":
 		arch = "arm64_v8.0"
 	default:
 		arch = runtime.GOARCH
 	}
 	return filepath.Join(RootDir(), "snapshot", osName+"-build_"+osName+"_"+arch, "syft")
 }
--- a/3
+++ b/3
@ -1,4 +1,5 @@
-FROM gcr.io/distroless/static-debian12:latest AS build
+ARG DEBIAN_VERSION=12
 FROM gcr.io/distroless/static-debian${DEBIAN_VERSION}:latest AS build
 FROM scratch
 # needed for version check HTTPS request
--- a/Dockerfile.debug
+++ b/Dockerfile.debug
@ -1,4 +1,5 @@
-FROM gcr.io/distroless/static-debian12:debug-nonroot
+ARG DEBIAN_VERSION=12
 FROM gcr.io/distroless/static-debian${DEBIAN_VERSION}:debug-nonroot
 # create the /tmp dir, which is needed for image content cache
 WORKDIR /tmp
--- a/Dockerfile.nonroot
+++ b/Dockerfile.nonroot
@ -1,4 +1,5 @@
-FROM gcr.io/distroless/static-debian12:nonroot
+ARG DEBIAN_VERSION=12
 FROM gcr.io/distroless/static-debian${DEBIAN_VERSION}:nonroot
 # create the /tmp dir, which is needed for image content cache
 WORKDIR /tmp
--- a/54
+++ b/54
@ -1,46 +1,18 @@
-OWNER = anchore
+# `test` and `snapshot` have matching directory names in this repo, so make would
-PROJECT = syft
+# refuse to run them without an explicit .PHONY (Nothing to be done for ...).
 .PHONY: test snapshot
 test:
 	@go run -C .make . test
-TOOL_DIR = .tool
+snapshot:
-BINNY = $(TOOL_DIR)/binny
+	@go run -C .make . snapshot
 TASK = $(TOOL_DIR)/task
-.DEFAULT_GOAL := make-default
+.PHONY: *
 .DEFAULT_GOAL: make-default
-## Bootstrapping targets #################################
+make-default:
 	@go run -C .make .
-# note: we need to assume that binny and task have not already been installed
+.DEFAULT:
 $(BINNY):
 	@mkdir -p $(TOOL_DIR)
 	@curl -sSfL https://get.anchore.io/binny | sh -s -- -b $(TOOL_DIR)
 # note: we need to assume that binny and task have not already been installed
 .PHONY: task
 $(TASK) task: $(BINNY)
 	@$(BINNY) install task -q
 .PHONY: ci-bootstrap-go
 ci-bootstrap-go:
 	go mod download
 # this is a bootstrapping catch-all, where if the target doesn't exist, we'll ensure the tools are installed and then try again
 %:
-	@make --silent $(TASK)
+	@go run -C .make . $@
 	@$(TASK) $@
 ## Shim targets #################################
 .PHONY: make-default
 make-default: $(TASK)
 	@# run the default task in the taskfile
 	@$(TASK)
 # for those of us that can't seem to kick the habit of typing `make ...` lets wrap the superior `task` tool
 TASKS := $(shell bash -c "test -f $(TASK) && NO_COLOR=1 $(TASK) -l | grep '^\* ' | cut -d' ' -f2 | tr -d ':' | tr '\n' ' '" ) $(shell bash -c "test -f $(TASK) && NO_COLOR=1 $(TASK) -l | grep 'aliases:' | cut -d ':' -f 3 | tr '\n' ' ' | tr -d ','")
 .PHONY: $(TASKS)
 $(TASKS): $(TASK)
 	@$(TASK) $@
 help: $(TASK)
 	@$(TASK) -l
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@ -1,6 +1,11 @@
 version: "3"
 # NOTE: most generic tasks (static-analysis, format, lint, unit, snapshot, release,
 # changelog, ci-release, etc.) are now provided natively by anchore/go-make and
 # defined in .make/main.go. This file holds the syft-specific tasks that go-make
 # wraps via `wrap("<name>")` calls — keep descriptions (`desc:`) populated so they
 # show up in `make help`.
 includes:
  generate:cpe-index: ./task.d/generate/cpe-index.yaml
@ -25,11 +30,7 @@ vars:
  YQ: "{{ .TOOL_DIR }}/yq"
  TASK: "{{ .TOOL_DIR }}/task"
-  # used for changelog generation
+  # used for snapshot bin discovery in compare/install tasks
  CHANGELOG: CHANGELOG.md
  NEXT_VERSION: VERSION
  # used for snapshot builds
  OS:
    sh: uname -s | tr '[:upper:]' '[:lower:]'
  ARCH:
@ -42,11 +43,6 @@ vars:
  # e.g. when installing snapshot debs from a local path, ./ forces the deb to be installed in the current working directory instead of referencing a package name
  SNAPSHOT_DIR: ./snapshot
  SNAPSHOT_BIN: "{{ .PROJECT_ROOT }}/{{ .SNAPSHOT_DIR }}/{{ .OS }}-build_{{ .OS }}_{{ .ARCH }}/{{ .PROJECT }}"
  SNAPSHOT_CMD: "{{ .TOOL_DIR }}/goreleaser release --config {{ .TMP_DIR }}/goreleaser.yaml --clean --snapshot --skip=publish --skip=sign"
  BUILD_CMD:    "{{ .TOOL_DIR }}/goreleaser build   --config {{ .TMP_DIR }}/goreleaser.yaml --clean --snapshot --single-target"
  RELEASE_CMD:  "{{ .TOOL_DIR }}/goreleaser release --clean --release-notes {{ .CHANGELOG }}"
  VERSION:
    sh: git describe --dirty --always --tags
  # used for install and acceptance testing
  COMPARE_DIR: ./test/compare
@ -57,43 +53,10 @@ env:
 tasks:
-  ## High-level tasks #################################
+  ## Bootstrap (internal helpers used by other Taskfile tasks) ###############
  default:
    desc: Run all validation tasks
    aliases:
      - pr-validations
      - validations
    cmds:
      - task: static-analysis
      - task: test
      - task: install-test
  static-analysis:
    desc: Run all static analysis tasks
    cmds:
      - task: check-go-mod-tidy
      - task: check-licenses
      - task: lint
      - task: check-json-schema-drift
      - task: check-binary-fixture-size
  test:
    desc: Run all levels of test
    cmds:
      - task: unit
      - task: integration
      - task: validate-cyclonedx-schema
      - task: test-utils
      - task: snapshot
      - task: cli
      - task: check-docker-cache
  ## Bootstrap tasks #################################
  binny:
    internal: true
    # desc: Get the binny tool
    generates:
      - "{{ .TOOL_DIR }}/binny"
    status:
@ -102,10 +65,8 @@ tasks:
    silent: true
  tools:
-    desc: Install all tools needed for CI and local development
+    internal: true
    deps: [binny]
    aliases:
      - bootstrap
    generates:
      - ".binny.yaml"
      - "{{ .TOOL_DIR }}/*"
@ -114,79 +75,14 @@ tasks:
    cmd: "{{ .TOOL_DIR }}/binny install -v"
    silent: true
  update-tools:
    desc: Update pinned versions of all tools to their latest available versions
    deps: [binny]
    generates:
      - ".binny.yaml"
      - "{{ .TOOL_DIR }}/*"
    cmd: "{{ .TOOL_DIR }}/binny update -v"
    silent: true
  list-tools:
    desc: List all tools needed for CI and local development
    deps: [binny]
    cmd: "{{ .TOOL_DIR }}/binny list"
    silent: true
  list-tool-updates:
    desc: List all tools that are not up to date relative to the binny config
    deps: [binny]
    cmd: "{{ .TOOL_DIR }}/binny list --updates"
    silent: true
  tmpdir:
    internal: true
    silent: true
    generates:
      - "{{ .TMP_DIR }}"
    cmd: "mkdir -p {{ .TMP_DIR }}"
-  ## Static analysis tasks #################################
+  ## Static analysis extras #################################################
  format:
    desc: Auto-format all source code
    deps: [tools]
    cmds:
      - gofmt -w -s .
      - "{{ .TOOL_DIR }}/gosimports -local github.com/anchore -w ."
      - go mod tidy
  lint-fix:
    desc: Auto-format all source code + run golangci lint fixers
    deps: [tools]
    cmds:
      - task: format
      - "{{ .TOOL_DIR }}/golangci-lint run --tests=false --fix"
  lint:
    desc: Run gofmt + golangci lint checks
    vars:
      BAD_FMT_FILES:
        sh: gofmt -l -s .
      BAD_FILE_NAMES:
        sh: "find . | grep -e ':' || true"
    deps: [tools]
    cmds:
      # ensure there are no go fmt differences
      - cmd: 'test -z "{{ .BAD_FMT_FILES }}" || (echo "files with gofmt issues: [{{ .BAD_FMT_FILES }}]"; exit 1)'
        silent: true
      # ensure there are no files with ":" in it (a known back case in the go ecosystem)
      - cmd: 'test -z "{{ .BAD_FILE_NAMES }}" || (echo "files with bad names: [{{ .BAD_FILE_NAMES }}]"; exit 1)'
        silent: true
      # run linting
      - "{{ .TOOL_DIR }}/golangci-lint run --tests=false"
  check-licenses:
    # desc: Ensure transitive dependencies are compliant with the current license policy
    deps: [tools]
    cmd: "{{ .TOOL_DIR }}/bouncer check ./..."
  check-go-mod-tidy:
    # desc: Ensure go.mod and go.sum are up to date
    cmds:
      - cmd: .github/scripts/go-mod-tidy-check.sh && echo "go.mod and go.sum are tidy!"
        silent: true
  check-json-schema-drift:
    desc: Ensure there is no drift between the JSON schema and the code
@ -203,8 +99,8 @@ tasks:
    cmds:
      - .github/scripts/check_binary_fixture_size.sh syft/pkg/cataloger/binary/testdata/classifiers/snippets
  ## Test extras ############################################################
  ## Testing tasks #################################
  update-format-golden-files:
    desc: "Update golden (i.e. snapshot) files used by unit tests"
    cmds:
@ -214,59 +110,32 @@ tasks:
      - go test ./syft/format/cyclonedxjson -update-cyclonedx-json
      - go test ./syft/format/syftjson -update-json
  unit:
    desc: Run unit tests
    deps:
      - tmpdir
      - fixtures
    vars:
      TEST_PKGS:
        sh: "go list ./... | grep -v {{ .OWNER }}/{{ .PROJECT }}/test | grep -v {{ .OWNER }}/{{ .PROJECT }}/cmd/syft/internal/test | tr '\n' ' '"
      # unit test coverage threshold (in % coverage)
      COVERAGE_THRESHOLD: 62
    cmds:
      - task: clean-test-observations
      - "go test -coverprofile {{ .TMP_DIR }}/unit-coverage-details.txt {{ .TEST_PKGS }}"
      - cmd: ".github/scripts/coverage.py {{ .COVERAGE_THRESHOLD }} {{ .TMP_DIR }}/unit-coverage-details.txt"
        silent: true
  integration:
    desc: Run integration tests
    cmds:
      - "go test -v ./cmd/syft/internal/test/integration"
      # exercise most of the CLI with the data race detector
      # we use a larger image to ensure we're using multiple catalogers at a time
      - "go run -race cmd/syft/main.go anchore/test_images:grype-quality-dotnet-69f15d2"
  validate-cyclonedx-schema:
    desc: Validate that Syft produces valid CycloneDX documents
    cmds:
      - "cd schema/cyclonedx && make"
  cli:
    desc: Run CLI tests
    deps: [tools]
    cmds:
      - cmd: "echo 'testing binary: {{ .SNAPSHOT_BIN }}'"
        silent: true
      - cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found for {{ .SNAPSHOT_BIN }}' && false)"
        silent: true
      - "go test -count=1 -timeout=15m -v ./test/cli"
    env:
      SYFT_BINARY_LOCATION: "{{ .SNAPSHOT_BIN }}"
  test-utils:
    desc: Run tests for pipeline utils
    cmds:
      - cmd: .github/scripts/labeler_test.py
  snapshot-smoke-test:
    desc: Run a smoke test on the snapshot builds + docker images
    cmds:
      - cmd: "echo 'testing snapshot binary: {{ .SNAPSHOT_BIN }}'"
        silent: true
      - cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found for {{ .SNAPSHOT_BIN }}' && false)"
        silent: true
      - "{{ .SNAPSHOT_BIN }} version"
      - "{{ .SNAPSHOT_BIN }} scan alpine:latest"
      - docker run --rm anchore/syft:latest version
      - docker run --rm anchore/syft:latest scan alpine:latest
-  ## Test-fixture-related targets #################################
+  ## Test-fixture-related targets ###########################################
  fingerprints:
-    desc: Generate fingerprints for all non-docker test fixture
+    desc: Generate fingerprints for all non-docker test fixtures
    silent: true
    # this will look for `testdata/Makefile` and invoke the `fingerprint` target to calculate all cache input fingerprint files
    generates:
@ -281,16 +150,10 @@ tasks:
        echo -e "${YELLOW}creating fingerprint files for non-docker fixtures...${RESET}"
        for dir in $(find . -type d -name 'testdata'); do
          if [ -f "$dir/Makefile" ]; then
            # for debugging...
            #echo -e "${YELLOW}• calculating fingerprints in $dir... ${RESET}"
            (make -C "$dir" fingerprint)
          fi
        done
        # for debugging...
        # echo -e "generated all fixture fingerprints"
      - .github/scripts/fingerprint_docker_fixtures.py
      - |
        # if DOWNLOAD_TEST_FIXTURE_CACHE is set to 'false', then we don't need to calculate the fingerprint for the cache
@ -432,6 +295,7 @@ tasks:
      eval $oras_command
  show-test-image-cache:
    desc: Print the on-disk + docker daemon state of the stereoscope fixture image cache
    silent: true
    cmds:
      - "echo 'Docker daemon cache:'"
@ -452,28 +316,36 @@ tasks:
        exit 1
      fi
-  ## install.sh testing targets #################################
+  ## install.sh testing targets #############################################
  install-test:
    desc: Run install.sh test suite (delegates to test/install/Makefile)
    cmds:
      - "cd test/install && make"
  install-test-cache-save:
    desc: Save the install.sh test image cache (delegates to test/install/Makefile)
    cmds:
      - "cd test/install && make save"
  install-test-cache-load:
    desc: Load the install.sh test image cache (delegates to test/install/Makefile)
    cmds:
      - "cd test/install && make load"
  install-test-ci-mac:
    desc: Run install.sh CI test suite on macOS (delegates to test/install/Makefile)
    cmds:
      - "cd test/install && make ci-test-mac"
  ## Compare-test targets ###################################################
  generate-compare-file:
    desc: Generate the acceptance comparison reference JSON for the current compare image
    cmd: "go run ./cmd/syft {{ .COMPARE_TEST_IMAGE }} -o json > {{ .COMPARE_DIR }}/testdata/acceptance-{{ .COMPARE_TEST_IMAGE }}.json"
  compare-mac:
    desc: Run macOS install + acceptance comparison against the snapshot build
    deps: [tmpdir]
    cmd: |
      {{ .COMPARE_DIR }}/mac.sh \
@ -483,11 +355,13 @@ tasks:
        {{ .TMP_DIR }}
  compare-linux:
    desc: Run Linux install + acceptance comparison (deb + rpm) against the snapshot build
    cmds:
      - task: compare-test-deb-package-install
      - task: compare-test-rpm-package-install
  compare-test-deb-package-install:
    desc: Run Linux .deb install + acceptance comparison against the snapshot build
    deps: [tmpdir]
    cmd: |
      {{ .COMPARE_DIR }}/deb.sh \
@ -497,6 +371,7 @@ tasks:
        {{ .TMP_DIR }}
  compare-test-rpm-package-install:
    desc: Run Linux .rpm install + acceptance comparison against the snapshot build
    deps: [tmpdir]
    cmd: |
      {{ .COMPARE_DIR }}/rpm.sh \
@ -506,7 +381,7 @@ tasks:
        {{ .TMP_DIR }}
-  ## Code and data generation targets #################################
+  ## Code and data generation targets ######################################
  generate:
    desc: Add data generation tasks
@ -556,104 +431,7 @@ tasks:
      - "SYFT_ENABLE_COMPLETENESS_TESTS=true go test -p 1 ./internal/capabilities/... -count=1"
-  ## Build-related targets #################################
+  ## Cleanup targets ########################################################
  build:
    desc: Build the project
    deps: [tools, tmpdir]
    generates:
      - "{{ .PROJECT }}"
    cmds:
      - silent: true
        cmd: |
          echo "dist: {{ .SNAPSHOT_DIR }}" > {{ .TMP_DIR }}/goreleaser.yaml
          cat .goreleaser.yaml >> {{ .TMP_DIR }}/goreleaser.yaml
      - "{{ .BUILD_CMD }}"
  snapshot:
    desc: Create a snapshot release
    aliases:
      - build
    deps: [tools, tmpdir]
    sources:
      - cmd/**/*.go
      - syft/**/*.go
      - internal/**/*.go
    method: checksum
    generates:
      - "{{ .SNAPSHOT_BIN }}"
    cmds:
      - silent: true
        cmd: |
          echo "dist: {{ .SNAPSHOT_DIR }}" > {{ .TMP_DIR }}/goreleaser.yaml
          cat .goreleaser.yaml >> {{ .TMP_DIR }}/goreleaser.yaml
      - "{{ .SNAPSHOT_CMD }}"
  snapshot-smoke-test:
    desc: Run a smoke test on the snapshot builds + docker images
    cmds:
      - cmd: "echo 'testing snapshot binary: {{ .SNAPSHOT_BIN }}'"
        silent: true
      - cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found for {{ .SNAPSHOT_BIN }}' && false)"
        silent: true
      - "{{ .SNAPSHOT_BIN }} version"
      - "{{ .SNAPSHOT_BIN }} scan alpine:latest"
      - docker run --rm anchore/syft:latest version
      - docker run --rm anchore/syft:latest scan alpine:latest
  changelog:
    desc: Generate a changelog
    deps: [tools]
    generates:
      - "{{ .CHANGELOG }}"
      - "{{ .NEXT_VERSION }}"
    cmds:
      - "{{ .TOOL_DIR }}/chronicle -vv -n --version-file {{ .NEXT_VERSION }} > {{ .CHANGELOG }}"
      - "{{ .TOOL_DIR }}/glow -w 0 {{ .CHANGELOG }}"
  ## Release targets #################################
  release:
    desc: Create a release
    interactive: true
    deps: [tools]
    cmds:
      - cmd: .github/scripts/trigger-release.sh
        silent: true
  ## CI-only targets #################################
  ci-check:
    # desc: "[CI only] Are you in CI?"
    cmds:
      - cmd: .github/scripts/ci-check.sh
        silent: true
  ci-release:
    # desc: "[CI only] Create a release"
    deps: [tools]
    cmds:
      - task: ci-check
      - "{{ .TOOL_DIR }}/chronicle -vvv > CHANGELOG.md"
      - cmd: "cat CHANGELOG.md"
        silent: true
      - "{{ .RELEASE_CMD }}"
  ## Cleanup targets #################################
  clean:
    desc: Remove all cache files and old builds
    cmds:
      - task: clean-snapshot
      - task: clean-cache
      - task: clean-test-observations
      - task: clean-docker-cache
      - task: clean-oras-cache
  clean-snapshot:
    desc: Remove any snapshot builds
@ -675,6 +453,7 @@ tasks:
    desc: Remove all image docker tar cache, images from the docker daemon, and ephemeral test fixtures
    cmds:
      - task: clean-docker-cache
      - task: prune-orphan-fingerprints
      - |
        BOLD='\033[1m'
        YELLOW='\033[0;33m'
@ -690,6 +469,12 @@ tasks:
        echo -e "${BOLD}Deleted all ephemeral test fixtures${RESET}"
      - rm -f {{ .LAST_CACHE_PULL_FILE }} {{ .CACHE_PATHS_FILE }}
  prune-orphan-fingerprints:
    desc: Remove *.fingerprint files left behind by moved/deleted catalogers
    silent: true
    cmds:
      - .github/scripts/prune_orphan_fingerprints.py
  clean-test-observations:
    desc: Remove all test observations (i.e. testdata/test-observations.json)
    cmds:
--- a/cmd/syft/internal/commands/attest.go
+++ b/cmd/syft/internal/commands/attest.go
@ -59,7 +59,7 @@ func Attest(app clio.Application) *cobra.Command {
 		Use:   "attest --output [FORMAT] <IMAGE>",
 		Short: "Generate an SBOM as an attestation for the given [SOURCE] container image",
 		Long:  "Generate a packaged-based Software Bill Of Materials (SBOM) from a container image as the predicate of an in-toto attestation that will be uploaded to the image registry",
-		Example: internal.Tprintf(attestHelp, map[string]interface{}{
+		Example: internal.Tprintf(attestHelp, map[string]any{
 			"appName": id.Name,
 			"command": "attest",
 		}),
--- a/cmd/syft/internal/commands/cataloger_info.go
+++ b/cmd/syft/internal/commands/cataloger_info.go
@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
 	"slices"
 	"sort"
 	"strings"
@ -248,12 +249,7 @@ func renderCatalogerInfoJSON(doc *capabilities.Document, catalogers []capabiliti
 // isDeprecatedCataloger checks if a cataloger is deprecated based on its selectors
 func isDeprecatedCataloger(selectors []string) bool {
-	for _, selector := range selectors {
+	return slices.Contains(selectors, "deprecated")
 		if selector == "deprecated" {
 			return true
 		}
 	}
 	return false
 }
 // convertDetectorPackages converts detector package info to the JSON output format
@ -452,7 +448,7 @@ func extractArrayCapability(caps capabilities.CapabilitySet, name string) string
 				if len(v) > 0 {
 					return strings.Join(v, ", ")
 				}
-			case []interface{}:
+			case []any:
 				if len(v) > 0 {
 					strs := make([]string, 0, len(v))
 					for _, item := range v {
@ -475,7 +471,7 @@ func extractNodesCapability(caps capabilities.CapabilitySet) string {
 			switch v := cap.Default.(type) {
 			case []string:
 				return formatDepthStringArray(v)
-			case []interface{}:
+			case []any:
 				return formatDepthInterfaceArray(v)
 			}
 			return noStyle.Render("·")
@ -496,7 +492,7 @@ func formatDepthStringArray(v []string) string {
 }
 // formatDepthInterfaceArray formats a []interface{} dependency depth value
-func formatDepthInterfaceArray(v []interface{}) string {
+func formatDepthInterfaceArray(v []any) string {
 	if len(v) == 0 {
 		return noStyle.Render("·")
 	}
--- a/cmd/syft/internal/commands/convert.go
+++ b/cmd/syft/internal/commands/convert.go
@ -40,7 +40,7 @@ func Convert(app clio.Application) *cobra.Command {
 		Use:   "convert [SOURCE-SBOM] -o [FORMAT]",
 		Short: "Convert between SBOM formats",
 		Long:  "[Experimental] Convert SBOM files to, and from, SPDX, CycloneDX and Syft's format. For more info about data loss between formats see https://github.com/anchore/syft/wiki/format-conversion",
-		Example: internal.Tprintf(convertExample, map[string]interface{}{
+		Example: internal.Tprintf(convertExample, map[string]any{
 			"appName": id.Name,
 			"command": "convert",
 		}),
--- a/cmd/syft/internal/commands/packages.go
+++ b/cmd/syft/internal/commands/packages.go
@ -18,7 +18,7 @@ func Packages(app clio.Application, scanCmd *cobra.Command) *cobra.Command {
 		Short: scanCmd.Short,
 		Long:  scanCmd.Long,
 		Args:  scanCmd.Args,
-		Example: internal.Tprintf(scanHelp, map[string]interface{}{
+		Example: internal.Tprintf(scanHelp, map[string]any{
 			"appName": id.Name,
 			"command": "packages",
 		}),
--- a/cmd/syft/internal/commands/packages_test.go
+++ b/cmd/syft/internal/commands/packages_test.go
@ -29,7 +29,7 @@ func Test_filterExpressionErrors_expressionErrorsHelp(t *testing.T) {
 		{
 			name: "single non-expression error is retained",
 			err:  errors.New("foo"),
-			wantErr: func(t assert.TestingT, err error, i ...interface{}) bool {
+			wantErr: func(t assert.TestingT, err error, i ...any) bool {
 				return assert.Equal(t, "foo", err.Error())
 			},
 			wantHelp: "",
@ -42,7 +42,7 @@ func Test_filterExpressionErrors_expressionErrorsHelp(t *testing.T) {
 				err = multierror.Append(err, errors.New("bar"))
 				return err
 			}(),
-			wantErr: func(t assert.TestingT, err error, i ...interface{}) bool {
+			wantErr: func(t assert.TestingT, err error, i ...any) bool {
 				// note: this is the default formatting from the hashicorp multierror object
 				expected := `2 errors occurred:
 	* foo
@ -64,7 +64,7 @@ func Test_filterExpressionErrors_expressionErrorsHelp(t *testing.T) {
 				err = multierror.Append(err, errors.New("last"))
 				return err
 			}(),
-			wantErr: func(t assert.TestingT, err error, i ...interface{}) bool {
+			wantErr: func(t assert.TestingT, err error, i ...any) bool {
 				expected := `5 errors occurred:
 	* foo
 	* invalid expression: "foo": tags are not allowed with this operation (must use exact names)
@ -103,7 +103,7 @@ func Test_filterExpressionErrors_expressionErrorsHelp(t *testing.T) {
 				return fmt.Errorf("top: %w", fmt.Errorf("middle: %w", err))
 			}(),
-			wantErr: func(t assert.TestingT, err error, i ...interface{}) bool {
+			wantErr: func(t assert.TestingT, err error, i ...any) bool {
 				expected := `top: middle: 4 errors occurred:
 	* foo: bar: last
 	* invalid expression: "foo": tags are not allowed with this operation (must use exact names)
@ -142,7 +142,7 @@ func Test_filterExpressionErrors_expressionErrorsHelp(t *testing.T) {
 				// note we wrap the top error in a chain
 				return fmt.Errorf("top: %w", fmt.Errorf("middle: %w", err))
 			}(),
-			wantErr: func(t assert.TestingT, err error, i ...interface{}) bool {
+			wantErr: func(t assert.TestingT, err error, i ...any) bool {
 				expected := `top: middle: 4 errors occurred:
 	* foo: bar: last
 	* invalid expression: "foo": tags are not allowed with this operation (must use exact names)
@ -178,7 +178,7 @@ func Test_filterExpressionErrors_expressionErrorsHelp(t *testing.T) {
 				return err
 			}(),
-			wantErr: func(t assert.TestingT, err error, i ...interface{}) bool {
+			wantErr: func(t assert.TestingT, err error, i ...any) bool {
 				// note: the errors are removed and the help text shows the enriched error help
 				expected := `2 errors occurred:
 	* invalid expression: "foo": tags are not allowed with this operation (must use exact names)
--- a/cmd/syft/internal/commands/scan.go
+++ b/cmd/syft/internal/commands/scan.go
@ -92,7 +92,7 @@ func Scan(app clio.Application) *cobra.Command {
 		Use:   "scan [SOURCE]",
 		Short: "Generate an SBOM",
 		Long:  "Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems",
-		Example: internal.Tprintf(scanHelp, map[string]interface{}{
+		Example: internal.Tprintf(scanHelp, map[string]any{
 			"appName": id.Name,
 			"command": "scan",
 		}),
--- a/cmd/syft/internal/commands/scan_test.go
+++ b/cmd/syft/internal/commands/scan_test.go
@ -60,7 +60,7 @@ func Test_scanOptions_validateLegacyOptionsNotUsed(t *testing.T) {
 }
 func assertErrorContains(contains string) assert.ErrorAssertionFunc {
-	return func(t assert.TestingT, err error, i ...interface{}) bool {
+	return func(t assert.TestingT, err error, i ...any) bool {
 		return assert.ErrorContains(t, err, contains, i...)
 	}
 }
--- a/cmd/syft/internal/options/catalog.go
+++ b/cmd/syft/internal/options/catalog.go
@ -2,6 +2,7 @@ package options
 import (
 	"fmt"
 	"slices"
 	"sort"
 	"strings"
@ -313,12 +314,10 @@ func enrichmentEnabled(enrichDirectives []string, features ...string) *bool {
 				directive = directive[1:]
 				enable = false
 			}
-			for _, feature := range features {
+			if slices.Contains(features, directive) {
 				if directive == feature {
 				return &enable
 			}
 		}
 		}
 		return nil
 	}
--- a/cmd/syft/internal/options/writer_test.go
+++ b/cmd/syft/internal/options/writer_test.go
@ -32,7 +32,7 @@ func Test_MakeSBOMWriter(t *testing.T) {
 		{
 			name:    "unknown format",
 			outputs: []string{"unknown"},
-			wantErr: func(t assert.TestingT, err error, bla ...interface{}) bool {
+			wantErr: func(t assert.TestingT, err error, bla ...any) bool {
 				return assert.ErrorContains(t, err, `unsupported output format "unknown", supported formats are:`)
 			},
 		},
--- a/cmd/syft/internal/test/integration/catalog_packages_test.go
+++ b/cmd/syft/internal/test/integration/catalog_packages_test.go
@ -2,6 +2,7 @@ package integration
 import (
 	"context"
 	"slices"
 	"strings"
 	"testing"
@ -194,11 +195,8 @@ func assertPackages(t *testing.T, sbom sbom.SBOM, test testCase, observedLanguag
 		}
 		var foundLang bool
-		for _, lang := range strings.Split(test.pkgLanguage.String(), ",") {
+		if slices.Contains(strings.Split(test.pkgLanguage.String(), ","), actualPkg.Language.String()) {
 			if actualPkg.Language.String() == lang {
 			foundLang = true
 				break
 			}
 		}
 		if !foundLang {
 			t.Errorf("bad language (pkg=%+v): %+v", actualPkg.Name, actualPkg.Language)
--- a/cmd/syft/internal/test/integration/package_cataloger_convention_test.go
+++ b/cmd/syft/internal/test/integration/package_cataloger_convention_test.go
@ -329,7 +329,7 @@ func packageCatalogerExports(t *testing.T) map[string]exportTokenSet {
 					}
 					exportsPerPackage[pkg].Add(exportToken{
 						Name:            decl.Name.Name,
-						Type:            reflect.TypeOf(decl.Type).String(),
+						Type:            reflect.TypeFor[*ast.FuncType]().String(),
 						SignatureSize:   len(decl.Type.Params.List),
 						ReturnTypeNames: returnTypes,
 					})
--- a/cmd/syft/internal/ui/log_writer_test.go
+++ b/cmd/syft/internal/ui/log_writer_test.go
@ -36,33 +36,33 @@ func Test_logWriter(t *testing.T) {
 type bufferLogger struct{ values []any }
-func (l *bufferLogger) Tracef(_ string, _ ...interface{}) {}
+func (l *bufferLogger) Tracef(_ string, _ ...any) {}
-func (l *bufferLogger) Debugf(_ string, _ ...interface{}) {}
+func (l *bufferLogger) Debugf(_ string, _ ...any) {}
-func (l *bufferLogger) Infof(_ string, _ ...interface{}) {}
+func (l *bufferLogger) Infof(_ string, _ ...any) {}
-func (l *bufferLogger) Warnf(_ string, _ ...interface{}) {}
+func (l *bufferLogger) Warnf(_ string, _ ...any) {}
-func (l *bufferLogger) Errorf(_ string, _ ...interface{}) {}
+func (l *bufferLogger) Errorf(_ string, _ ...any) {}
-func (l *bufferLogger) Trace(vals ...interface{}) {
+func (l *bufferLogger) Trace(vals ...any) {
 	l.values = append(l.values, vals...)
 }
-func (l *bufferLogger) Debug(_ ...interface{}) {}
+func (l *bufferLogger) Debug(_ ...any) {}
-func (l *bufferLogger) Info(_ ...interface{}) {}
+func (l *bufferLogger) Info(_ ...any) {}
-func (l *bufferLogger) Warn(vals ...interface{}) {
+func (l *bufferLogger) Warn(vals ...any) {
 	l.values = append(l.values, vals...)
 }
-func (l *bufferLogger) Error(_ ...interface{}) {}
+func (l *bufferLogger) Error(_ ...any) {}
-func (l *bufferLogger) WithFields(_ ...interface{}) logger.MessageLogger { return l }
+func (l *bufferLogger) WithFields(_ ...any) logger.MessageLogger { return l }
-func (l *bufferLogger) Nested(_ ...interface{}) logger.Logger { return l }
+func (l *bufferLogger) Nested(_ ...any) logger.Logger { return l }
 func (l *bufferLogger) SetOutput(_ io.Writer) {}
--- a/go.mod
+++ b/go.mod
@ -1,62 +1,68 @@
 module github.com/anchore/syft
-go 1.25.8
+go 1.26.3
 require (
 	github.com/BurntSushi/toml v1.6.0
-	github.com/CycloneDX/cyclonedx-go v0.10.0
+	github.com/CycloneDX/cyclonedx-go v0.11.0
-	github.com/Masterminds/semver/v3 v3.4.0
+	github.com/Masterminds/semver/v3 v3.5.0
 	github.com/Masterminds/sprig/v3 v3.3.0
 	github.com/OneOfOne/xxhash v1.2.8
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/acobaugh/osrelease v0.1.0
 	github.com/adrg/xdg v0.5.3
-	github.com/anchore/bubbly v0.0.0-20231115134915-def0aba654a9
+	github.com/anchore/bubbly v0.2.0
-	github.com/anchore/clio v0.0.0-20250319180342-2cfe4b0cb716
+	github.com/anchore/clio v0.1.0
-	github.com/anchore/fangs v0.0.0-20250319222917-446a1e748ec2
+	github.com/anchore/fangs v0.1.0
-	github.com/anchore/go-collections v0.0.0-20251016125210-a3c352120e8c
+	github.com/anchore/go-collections v0.1.0
-	github.com/anchore/go-homedir v0.0.0-20250319154043-c29668562e4d
+	github.com/anchore/go-homedir v0.1.0
-	github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722
+	github.com/anchore/go-logger v0.1.0
-	github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb
+	github.com/anchore/go-macholibre v0.1.0
-	github.com/anchore/go-rpmdb v0.0.0-20250516171929-f77691e1faec
+	github.com/anchore/go-rpmdb v0.1.0
-	github.com/anchore/go-sync v0.0.0-20250326131806-4eda43a485b6
+	github.com/anchore/go-sync v0.1.0
 	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b
-	github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115
+	github.com/anchore/packageurl-go v0.2.0
-	github.com/anchore/stereoscope v0.1.22
+	github.com/anchore/stereoscope v0.2.1
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
 	github.com/aquasecurity/go-pep440-version v0.0.1
 	github.com/bitnami/go-version v0.0.0-20250131085805-b1f57a8634ef
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb
 	github.com/bmatcuk/doublestar/v4 v4.10.0
 	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/charmbracelet/bubbles v1.0.0
 	github.com/charmbracelet/bubbletea v1.3.10
 	github.com/charmbracelet/lipgloss v1.1.0
 	github.com/dave/jennifer v1.7.1
 	github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da
-	github.com/diskfs/go-diskfs v1.7.0
+	github.com/diskfs/go-diskfs v1.9.3
 	github.com/distribution/reference v0.6.0
 	github.com/dustin/go-humanize v1.0.1
 	github.com/elliotchance/phpserialize v1.4.0
 	github.com/facebookincubator/nvdtools v0.1.5
-	github.com/github/go-spdx/v2 v2.4.0
+	github.com/github/go-spdx/v2 v2.7.0
-	github.com/gkampitakis/go-snaps v0.5.21
+	github.com/gkampitakis/go-snaps v0.5.22
-	github.com/go-git/go-billy/v5 v5.8.0
+	github.com/go-git/go-billy/v5 v5.9.0
-	github.com/go-git/go-git/v5 v5.17.0
+	github.com/go-git/go-git/v5 v5.19.1
 	github.com/go-test/deep v1.1.1
 	github.com/go-viper/mapstructure/v2 v2.5.0
 	github.com/goccy/go-yaml v1.19.2
 	github.com/gohugoio/hashstructure v0.6.0
 	github.com/google/go-cmp v0.7.0
-	github.com/google/go-containerregistry v0.21.2
+	github.com/google/go-containerregistry v0.21.6
 	github.com/google/licensecheck v0.3.1
 	github.com/google/uuid v1.6.0
-	github.com/gookit/color v1.6.0
+	github.com/gookit/color v1.6.1
 	github.com/gpustack/gguf-parser-go v0.24.1
 	github.com/hashicorp/go-cleanhttp v0.5.2
-	github.com/hashicorp/go-getter v1.8.5
+	github.com/hashicorp/go-getter v1.8.6
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/hcl/v2 v2.24.0
 	github.com/iancoleman/strcase v0.3.0
-	github.com/invopop/jsonschema v0.13.0
+	github.com/invopop/jsonschema v0.14.0
-	github.com/jedib0t/go-pretty/v6 v6.7.8
+	github.com/jedib0t/go-pretty/v6 v6.7.10
 	github.com/jinzhu/copier v0.4.0
 	github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953
 	github.com/klauspost/compress v1.18.6
 	github.com/magiconair/properties v1.8.10
 	github.com/mholt/archives v0.1.5
 	github.com/moby/sys/mountinfo v0.7.2
@ -77,6 +83,7 @@ require (
 	github.com/spf13/afero v1.15.0
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
 	github.com/ulikunitz/xz v0.5.15
 	github.com/vbatts/go-mtree v0.7.0
 	github.com/vifraa/gopom v1.0.0
 	github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651
@ -85,95 +92,138 @@ require (
 	github.com/zyedidia/generic v1.2.2-0.20230320175451-4410d2372cb1
 	go.uber.org/goleak v1.3.0
 	go.yaml.in/yaml/v3 v3.0.4
-	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
-	golang.org/x/mod v0.34.0
+	golang.org/x/mod v0.36.0
-	golang.org/x/net v0.52.0
+	golang.org/x/net v0.55.0
-	modernc.org/sqlite v1.46.2
+	golang.org/x/time v0.15.0
 	golang.org/x/tools v0.45.0
 	gopkg.in/yaml.v3 v3.0.1
 	modernc.org/sqlite v1.51.0
 )
 require (
 	github.com/pb33f/ordered-map/v2 v2.3.1
 	github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd
 )
 require (
 	cel.dev/expr v0.25.1 // indirect
 	cloud.google.com/go v0.123.0 // indirect
-	cloud.google.com/go/auth v0.18.1 // indirect
+	cloud.google.com/go/auth v0.18.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.5.3 // indirect
-	cloud.google.com/go/storage v1.60.0 // indirect
+	cloud.google.com/go/monitoring v1.24.3 // indirect
 	cloud.google.com/go/storage v1.61.3 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/DataDog/zstd v1.5.5 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/go-winio v0.6.3-0.20251027160822-ad3df93bed29 // indirect
-	github.com/Microsoft/hcsshim v0.14.0-rc.1 // indirect
+	github.com/Microsoft/hcsshim v0.15.0-rc.1 // indirect
 	github.com/ProtonMail/go-crypto v1.4.0 // indirect
 	github.com/STARRY-S/zip v0.2.3 // indirect
-	github.com/agext/levenshtein v1.2.1 // indirect; indirectt
+	github.com/agext/levenshtein v1.2.1 // indirect
 	github.com/anchore/go-lzo v0.1.0 // indirect
 	github.com/anchore/go-struct-converter v0.1.0 // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/aquasecurity/go-version v0.0.1 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.41.5 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.32.12 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.19.12 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 // indirect
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 // indirect
 	github.com/aws/smithy-go v1.24.2 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/becheran/wildmatch-go v1.0.0 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/bodgit/plumbing v1.3.0 // indirect
 	github.com/bodgit/sevenzip v1.6.1 // indirect
 	github.com/bodgit/windows v1.0.1 // indirect
 	github.com/buger/jsonparser v1.1.2 // indirect
 	github.com/charmbracelet/colorprofile v0.4.1 // indirect
 	github.com/charmbracelet/harmonica v0.2.0 // indirect
 	github.com/charmbracelet/x/ansi v0.11.6 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
 	github.com/charmbracelet/x/term v0.2.2 // indirect
 	github.com/clipperhouse/displaywidth v0.10.0 // indirect
 	github.com/clipperhouse/uax29/v2 v2.6.0 // indirect
 	github.com/cloudflare/circl v1.6.3 // indirect
-	github.com/containerd/containerd/api v1.10.0 // indirect
+	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
-	github.com/containerd/continuity v0.4.5 // indirect
+	github.com/containerd/cgroups/v3 v3.1.3 // indirect
 	github.com/containerd/containerd/api v1.11.1 // indirect
 	github.com/containerd/containerd/v2 v2.3.1 // indirect
 	github.com/containerd/continuity v0.5.0 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/platforms v1.0.0-rc.2 // indirect
+	github.com/containerd/platforms v1.0.0-rc.4 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect
+	github.com/containerd/plugin v1.1.0 // indirect
-	github.com/containerd/ttrpc v1.2.7 // indirect
+	github.com/containerd/ttrpc v1.2.8 // indirect
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
-	github.com/cyphar/filepath-securejoin v0.6.0 // indirect
+	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/docker/cli v29.3.0+incompatible // indirect
+	github.com/docker/cli v29.4.3+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.5 // indirect
-	github.com/docker/go-connections v0.6.0 // indirect
+	github.com/docker/go-connections v0.7.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/fgprof v0.9.5 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
-	github.com/gkampitakis/ciinfo v0.3.2 // indirect
+	github.com/gkampitakis/ciinfo v0.3.4 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-restruct/restruct v1.2.0-alpha // indirect
 	github.com/goccy/go-yaml v1.19.2
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
 	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
 	github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.72 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-version v1.8.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/henvic/httpretty v0.1.4 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.18.4 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
-	github.com/maruel/natural v1.1.1 // indirect
+	github.com/maruel/natural v1.3.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.2-0.20220822084749-2491eb6c1c75 // indirect
@ -187,49 +237,57 @@ require (
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/moby/api v1.54.2 // indirect
 	github.com/moby/moby/client v0.4.1 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/moby/sys/signal v0.7.1 // indirect
 	github.com/moby/sys/user v0.4.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/nwaples/rardecode/v2 v2.2.0 // indirect
 	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
 	github.com/olekukonko/errors v1.2.0 // indirect
 	github.com/olekukonko/ll v0.1.6 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opencontainers/runtime-spec v1.3.0 // indirect
 	github.com/opencontainers/selinux v1.13.1 // indirect
 	github.com/pborman/indent v1.2.1 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pelletier/go-toml/v2 v2.3.1 // indirect
-	github.com/pierrec/lz4/v4 v4.1.22 // indirect
+	github.com/pierrec/lz4/v4 v4.1.26 // indirect
-	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/pjbgf/sha1cd v0.6.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/profile v1.7.0 // indirect
-	github.com/pkg/xattr v0.4.9 // indirect
+	github.com/pkg/xattr v0.4.12 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/sagikazarmark/locafero v0.11.0 // indirect
 	github.com/sahilm/fuzzy v0.1.1 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d // indirect
 	github.com/sorairolake/lzip-go v0.3.8 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
-	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/cast v1.10.0 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
-	github.com/spf13/viper v1.20.0 // indirect
+	github.com/spf13/viper v1.21.0 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/sylabs/sif/v2 v2.24.0 // indirect
 	github.com/sylabs/squashfs v1.0.6 // indirect
 	github.com/therootcompany/xz v1.0.1 // indirect
-	github.com/tidwall/gjson v1.18.0 // indirect
+	github.com/tidwall/gjson v1.19.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
 	github.com/ulikunitz/xz v0.5.15
 	github.com/vbatts/tar-split v0.12.2 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@ -238,102 +296,36 @@ require (
 	github.com/zclconf/go-cty v1.16.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0 // indirect
-	go.opentelemetry.io/otel v1.40.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
-	go.uber.org/multierr v1.9.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v4 v4.0.0-rc.2 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
-	golang.org/x/crypto v0.49.0 // indirect
+	golang.org/x/crypto v0.52.0 // indirect
 	golang.org/x/oauth2 v0.36.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
-	golang.org/x/term v0.41.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
-	golang.org/x/text v0.35.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
 	golang.org/x/time v0.15.0
 	golang.org/x/tools v0.43.0
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
-	google.golang.org/api v0.267.0 // indirect
+	gonum.org/v1/gonum v0.17.0 // indirect
 	google.golang.org/api v0.271.0 // indirect
 	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d // indirect
-	google.golang.org/grpc v1.79.3 // indirect
+	google.golang.org/grpc v1.80.0 // indirect
-	google.golang.org/protobuf v1.36.11 // indirect
+	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v3 v3.0.1
+	modernc.org/libc v1.72.3 // indirect
 	modernc.org/libc v1.70.0 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 )
 require (
 	github.com/acobaugh/osrelease v0.1.0
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
 	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/gpustack/gguf-parser-go v0.24.0
 	github.com/wk8/go-ordered-map/v2 v2.1.8
 )
 require (
 	cel.dev/expr v0.25.1 // indirect
 	cloud.google.com/go/monitoring v1.24.3 // indirect
 	cyphar.com/go-pathrs v0.2.1 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.41.2 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.32.10 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.19.10 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.96.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/signin v1.0.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.30.11 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.7 // indirect
 	github.com/aws/smithy-go v1.24.1 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/buger/jsonparser v1.1.2 // indirect
 	github.com/clipperhouse/displaywidth v0.10.0 // indirect
 	github.com/clipperhouse/uax29/v2 v2.6.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
 	github.com/containerd/cgroups/v3 v3.1.2 // indirect
 	github.com/containerd/containerd/v2 v2.2.1 // indirect
 	github.com/containerd/plugin v1.0.0 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.70 // indirect
 	github.com/henvic/httpretty v0.1.4 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/moby/moby/api v1.54.0 // indirect
 	github.com/moby/moby/client v0.3.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/nwaples/rardecode/v2 v2.2.0 // indirect
 	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
 	github.com/olekukonko/errors v1.2.0 // indirect
 	github.com/olekukonko/ll v0.1.6 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d // indirect
 	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.40.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect
 	gonum.org/v1/gonum v0.16.0 // indirect
 )
 retract (
 	v1.25.0 // published with a replace directive (confusing for API users)
 	v0.53.2
--- a/go.sum
+++ b/go.sum
@ -31,8 +31,8 @@ cloud.google.com/go v0.98.0/go.mod h1:ua6Ush4NALrHk5QXDWnjvZHN93OuF0HfuEPq9I1X0c
 cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
 cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
 cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
-cloud.google.com/go/auth v0.18.1 h1:IwTEx92GFUo2pJ6Qea0EU3zYvKnTAeRCODxfA/G5UWs=
+cloud.google.com/go/auth v0.18.2 h1:+Nbt5Ev0xEqxlNjd6c+yYUeosQ5TtEUaNcN/3FozlaM=
-cloud.google.com/go/auth v0.18.1/go.mod h1:GfTYoS9G3CWpRA3Va9doKN9mjPGRS+v41jmZAhBzbrA=
+cloud.google.com/go/auth v0.18.2/go.mod h1:xD+oY7gcahcu7G2SG2DsBerfFxgPAJz17zz2joOFF3M=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
@ -63,12 +63,10 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
-cloud.google.com/go/storage v1.60.0 h1:oBfZrSOCimggVNz9Y/bXY35uUcts7OViubeddTTVzQ8=
+cloud.google.com/go/storage v1.61.3 h1:VS//ZfBuPGDvakfD9xyPW1RGF1Vy3BWUoVZXgW1KMOg=
-cloud.google.com/go/storage v1.60.0/go.mod h1:q+5196hXfejkctrnx+VYU8RKQr/L3c0cBIlrjmiAKE0=
+cloud.google.com/go/storage v1.61.3/go.mod h1:JtqK8BBB7TWv0HVGHubtUdzYYrakOQIsMLffZ2Z/HWk=
 cloud.google.com/go/trace v1.11.7 h1:kDNDX8JkaAG3R2nq1lIdkb7FCSi1rCmsEtKVsty7p+U=
 cloud.google.com/go/trace v1.11.7/go.mod h1:TNn9d5V3fQVf6s4SCveVMIBS2LJUqo73GACmq/Tky0s=
 cyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8=
 cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
@ -79,13 +77,13 @@ github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi
 github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
 github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.10.0 h1:7xyklU7YD+CUyGzSFIARG18NYLsKVn4QFg04qSsu+7Y=
+github.com/CycloneDX/cyclonedx-go v0.11.0 h1:GokP8FiRC+foiuwWhSSLpSD5H4hSWtGnR3wo7apkBFI=
-github.com/CycloneDX/cyclonedx-go v0.10.0/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8=
+github.com/CycloneDX/cyclonedx-go v0.11.0/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/DataDog/zstd v1.5.5 h1:oWf5W7GtOLgp6bciQYDmhHHjdhYkALu6S/5Ni9ZgSvQ=
 github.com/DataDog/zstd v1.5.5/go.mod h1:g4AWEaM3yOg3HYfnJ3YIawPnVdXJh9QME85blwSAmyw=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 h1:sBEjpZlNHzK1voKq9695PJSX2o5NEXl7/OL3coiIY0c=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 h1:DHa2U07rk8syqvCge0QIGMCE1WxGj9njT44GH7zNJLQ=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 h1:UnDZ/zFfG1JhH/DqxIZYU/1CUAlTUScoXD/LcM2Ykk8=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0/go.mod h1:IA1C1U7jO/ENqm/vhi7V9YYpBsp+IMyqNrEN94N7tVc=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.55.0 h1:7t/qx5Ost0s0wbA/VDrByOooURhp+ikYwv20i9Y07TQ=
@ -94,15 +92,15 @@ github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapp
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0/go.mod h1:Mf6O40IAyB9zR/1J8nGDDPirZQQPbYJni8Yisy7NTMc=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.5.0 h1:kQceYJfbupGfZOKZQg0kou0DgAKhzDg2NZPAwZ/2OOE=
-github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Masterminds/semver/v3 v3.5.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
 github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.3-0.20251027160822-ad3df93bed29 h1:0kQAzHq8vLs7Pptv+7TxjdETLf/nIqJpIB4oC6Ba4vY=
-github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/Microsoft/go-winio v0.6.3-0.20251027160822-ad3df93bed29/go.mod h1:ZWa7ssZJT30CCDGJ7fk/2SBTq9BIQrrVjrcss0UW2s0=
-github.com/Microsoft/hcsshim v0.14.0-rc.1 h1:qAPXKwGOkVn8LlqgBN8GS0bxZ83hOJpcjxzmlQKxKsQ=
+github.com/Microsoft/hcsshim v0.15.0-rc.1 h1:FbbwtQmiD+BVHynGkx5S65JkLyhkEiiTP8nrpmg2SZw=
-github.com/Microsoft/hcsshim v0.14.0-rc.1/go.mod h1:hTKFGbnDtQb1wHiOWv4v0eN+7boSWAHyK/tNAaYZL0c=
+github.com/Microsoft/hcsshim v0.15.0-rc.1/go.mod h1:HWvvUPIy9HF6LotILj1G4VyS065rcLQ6tqj6tMUdOfI=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
 github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
@ -122,34 +120,34 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/anchore/bubbly v0.0.0-20231115134915-def0aba654a9 h1:p0ZIe0htYOX284Y4axJaGBvXHU0VCCzLN5Wf5XbKStU=
+github.com/anchore/bubbly v0.2.0 h1:VE6nLlWsYV+bTOqqCzS46NirrVmvHah3UQDtFcjzgHU=
-github.com/anchore/bubbly v0.0.0-20231115134915-def0aba654a9/go.mod h1:3ZsFB9tzW3vl4gEiUeuSOMDnwroWxIxJelOOHUp8dSw=
+github.com/anchore/bubbly v0.2.0/go.mod h1:zRg1mfRCCe4vq1t9Ibu24YurErmnp9LAVCbpnpsb1pQ=
-github.com/anchore/clio v0.0.0-20250319180342-2cfe4b0cb716 h1:2sIdYJlQESEnyk3Y0WD2vXWW5eD2iMz9Ev8fj1Z8LNA=
+github.com/anchore/clio v0.1.0 h1:lrlSgD38V0T6TLjOG5Kn3miEXCQyYr6ZlwTSnW1WIJg=
-github.com/anchore/clio v0.0.0-20250319180342-2cfe4b0cb716/go.mod h1:Utb9i4kwiCWvqAIxZaJeMIXFO9uOgQXlvH2BfbfO/zI=
+github.com/anchore/clio v0.1.0/go.mod h1:z4l6oHaU8x/yQ3BnES4Ekh4eLqFSYlj1jQpk7waPkJs=
-github.com/anchore/fangs v0.0.0-20250319222917-446a1e748ec2 h1:GC2QaO0YsmjpsZ4rtVKv9DnproIxqqn+qkskpc+i8MA=
+github.com/anchore/fangs v0.1.0 h1:EidxQN2XDRWn8q2n9pCVZXrOEnvpV1CuPLiWMyWG/vE=
-github.com/anchore/fangs v0.0.0-20250319222917-446a1e748ec2/go.mod h1:XUbUECwVKuD3qYRUj+QZIOHjyyXua2gFmVjKA40iHXA=
+github.com/anchore/fangs v0.1.0/go.mod h1:5YocMj6a0MC+KiBXBP0/ocOfc54DvlsOcpkAxmPWgx0=
-github.com/anchore/go-collections v0.0.0-20251016125210-a3c352120e8c h1:eoJXyC0n7DZ4YvySG/ETdYkTar2Due7eH+UmLK6FbrA=
+github.com/anchore/go-collections v0.1.0 h1:vh2LE/j6HLKC27pENkas+J+h4BK4nOte9b7pDjlhY9w=
-github.com/anchore/go-collections v0.0.0-20251016125210-a3c352120e8c/go.mod h1:1aiktV46ATCkuVg0O573ZrH56BUawTECPETbZyBcqT8=
+github.com/anchore/go-collections v0.1.0/go.mod h1:1aiktV46ATCkuVg0O573ZrH56BUawTECPETbZyBcqT8=
-github.com/anchore/go-homedir v0.0.0-20250319154043-c29668562e4d h1:gT69osH9AsdpOfqxbRwtxcNnSZ1zg4aKy2BevO3ZBdc=
+github.com/anchore/go-homedir v0.1.0 h1:WP+lNLOz2og8hzCkY7IccyFNInVKsrjogzV19G5G8p0=
-github.com/anchore/go-homedir v0.0.0-20250319154043-c29668562e4d/go.mod h1:PhSnuFYknwPZkOWKB1jXBNToChBA+l0FjwOxtViIc50=
+github.com/anchore/go-homedir v0.1.0/go.mod h1:9B0DGhbmMAJVGGEbrlb+PkORM5eDFCEOtZ3xQ22qaLA=
-github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722 h1:2SqmFgE7h+Ql4VyBzhjLkRF/3gDrcpUBj8LjvvO6OOM=
+github.com/anchore/go-logger v0.1.0 h1:3pE9Sli4SE1I/mtV+2pZXzim+aWj83BRaneVXeMgD3A=
-github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722/go.mod h1:oFuE8YuTCM+spgMXhePGzk3asS94yO9biUfDzVTFqNw=
+github.com/anchore/go-logger v0.1.0/go.mod h1:0l63X5VyHqfWQwsNaTmkgXErsfohze3NAFCXFdhSjdQ=
 github.com/anchore/go-lzo v0.1.0 h1:NgAacnzqPeGH49Ky19QKLBZEuFRqtTG9cdaucc3Vncs=
 github.com/anchore/go-lzo v0.1.0/go.mod h1:3kLx0bve2oN1iDwgM1U5zGku1Tfbdb0No5qp1eL1fIk=
-github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:iDMnx6LIjtjZ46C0akqveX83WFzhpTD3eqOthawb5vU=
+github.com/anchore/go-macholibre v0.1.0 h1:qHbdusBZNcZM/uuKf1Psa9xxAFSoyRTps8GW9gpJgsg=
-github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb/go.mod h1:DmTY2Mfcv38hsHbG78xMiTDdxFtkHpgYNVDPsF2TgHk=
+github.com/anchore/go-macholibre v0.1.0/go.mod h1:eu0gbwaZ+ocVFJLePdmPPDKU8MboV1MKsUCr36Ckd5s=
-github.com/anchore/go-rpmdb v0.0.0-20250516171929-f77691e1faec h1:SjjPMOXTzpuU1ZME4XeoHyek+dry3/C7I8gzaCo02eg=
+github.com/anchore/go-rpmdb v0.1.0 h1:Q8dc208/HYzCqhx0L1zurfm1UPil24hlo9NjkdFmLdE=
-github.com/anchore/go-rpmdb v0.0.0-20250516171929-f77691e1faec/go.mod h1:eQVa6QFGzKy0qMcnW2pez0XBczvgwSjw9vA23qifEyU=
+github.com/anchore/go-rpmdb v0.1.0/go.mod h1:eQVa6QFGzKy0qMcnW2pez0XBczvgwSjw9vA23qifEyU=
 github.com/anchore/go-struct-converter v0.1.0 h1:2rDRssAl6mgKBSLNiVCMADgZRhoqtw9dedlWa0OhD30=
 github.com/anchore/go-struct-converter v0.1.0/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
-github.com/anchore/go-sync v0.0.0-20250326131806-4eda43a485b6 h1:Ha+LSCVuXYSYGi7wIkJK6G8g6jI3LH7y6LbyEVyp4Io=
+github.com/anchore/go-sync v0.1.0 h1:1TEZM7jISrvtoBMOF79xP0caQKASAtgW1yKqc0EjyZg=
-github.com/anchore/go-sync v0.0.0-20250326131806-4eda43a485b6/go.mod h1:+9oM3XUy8iea/vWj9FhZ9bQGUBN8JpPxxJm5Wbcx9XM=
+github.com/anchore/go-sync v0.1.0/go.mod h1:Iposeub0kHipoTei1icj4Tys0SJN+cCdxEnkS7bZUFs=
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZVsCYMrIZBpFxwV26CbsuoEh5muXD5I1Ods=
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
-github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 h1:ZyRCmiEjnoGJZ1+Ah0ZZ/mKKqNhGcUZBl0s7PTTDzvY=
+github.com/anchore/packageurl-go v0.2.0 h1:CkrM4RMUwrEGAiE1OVlxaZNzWj0TuHRey7o4T/EAErk=
-github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI=
+github.com/anchore/packageurl-go v0.2.0/go.mod h1:2JCgOQMIsqZ7TmliXG4PnUthPJAKE3mWQbsW2XHjAOE=
-github.com/anchore/stereoscope v0.1.22 h1:L807G/kk0WZzOCGuRGF7knxMKzwW2PGdbPVRystryd8=
+github.com/anchore/stereoscope v0.2.1 h1:x9c4LCPGh53tKDAQ22RqEUftEnL7tphJavSRke/aICE=
-github.com/anchore/stereoscope v0.1.22/go.mod h1:FikPtAb/WnbqwgLHAvQA9O+fWez0K4pbjxzghz++iy4=
+github.com/anchore/stereoscope v0.2.1/go.mod h1:PYx3fD4lvBVsYoQ/fBdauhZ5hmkRrJgw1B73svKx7/U=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
 github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
@ -171,44 +169,44 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
 github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
-github.com/aws/aws-sdk-go-v2 v1.41.2 h1:LuT2rzqNQsauaGkPK/7813XxcZ3o3yePY0Iy891T2ls=
+github.com/aws/aws-sdk-go-v2 v1.41.5 h1:dj5kopbwUsVUVFgO4Fi5BIT3t4WyqIDjGKCangnV/yY=
-github.com/aws/aws-sdk-go-v2 v1.41.2/go.mod h1:IvvlAZQXvTXznUPfRVfryiG1fbzE2NGK6m9u39YQ+S4=
+github.com/aws/aws-sdk-go-v2 v1.41.5/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 h1:489krEF9xIGkOaaX3CE/Be2uWjiXrkCH6gUX+bZA/BU=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 h1:eBMB84YGghSocM7PsjmmPffTa+1FBUeNvGvFou6V/4o=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4/go.mod h1:IOAPF6oT9KCsceNTvvYMNHy0+kMF8akOjeDvPENWxp4=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI=
-github.com/aws/aws-sdk-go-v2/config v1.32.10 h1:9DMthfO6XWZYLfzZglAgW5Fyou2nRI5CuV44sTedKBI=
+github.com/aws/aws-sdk-go-v2/config v1.32.12 h1:O3csC7HUGn2895eNrLytOJQdoL2xyJy0iYXhoZ1OmP0=
-github.com/aws/aws-sdk-go-v2/config v1.32.10/go.mod h1:2rUIOnA2JaiqYmSKYmRJlcMWy6qTj1vuRFscppSBMcw=
+github.com/aws/aws-sdk-go-v2/config v1.32.12/go.mod h1:96zTvoOFR4FURjI+/5wY1vc1ABceROO4lWgWJuxgy0g=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.10 h1:EEhmEUFCE1Yhl7vDhNOI5OCL/iKMdkkYFTRpZXNw7m8=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.12 h1:oqtA6v+y5fZg//tcTWahyN9PEn5eDU/Wpvc2+kJ4aY8=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.10/go.mod h1:RnnlFCAlxQCkN2Q379B67USkBMu1PipEEiibzYN5UTE=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.12/go.mod h1:U3R1RtSHx6NB0DvEQFGyf/0sbrpJrluENHdPy1j/3TE=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18 h1:Ii4s+Sq3yDfaMLpjrJsqD6SmG/Wq/P5L/hw2qa78UAY=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 h1:zOgq3uezl5nznfoK3ODuqbhVg1JzAGDUhXOsU0IDCAo=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18/go.mod h1:6x81qnY++ovptLE6nWQeWrpXxbnlIex+4H4eYYGcqfc=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20/go.mod h1:z/MVwUARehy6GAg/yQ1GO2IMl0k++cu1ohP9zo887wE=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18 h1:F43zk1vemYIqPAwhjTjYIz0irU2EY7sOb/F5eJ3HuyM=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 h1:Rgg6wvjjtX8bNHcvi9OnXWwcE0a2vGpbwmtICOsvcf4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18/go.mod h1:w1jdlZXrGKaJcNoL+Nnrj+k5wlpGXqnNrKoP22HvAug=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21/go.mod h1:A/kJFst/nm//cyqonihbdpQZwiUhhzpqTsdbhDdRF9c=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18 h1:xCeWVjj0ki0l3nruoyP2slHsGArMxeiiaoPN5QZH6YQ=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 h1:PEgGVtPoB6NTpPrBgqSE5hE/o47Ij9qk/SEZFbUOe9A=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18/go.mod h1:r/eLGuGCBw6l36ZRWiw6PaZwPXb6YOj+i/7MizNl5/k=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21/go.mod h1:p+hz+PRAYlY3zcpJhPwXlLC4C+kqn70WIHwnzAfs6ps=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 h1:qYQ4pzQ2Oz6WpQ8T3HvGHnZydA72MnLuFK9tJwmrbHw=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.17 h1:JqcdRG//czea7Ppjb+g/n4o8i/R50aTBHkA7vu0lK+k=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 h1:rWyie/PxDRIdhNf4DzRk0lvjVOqFJuNnO8WwaIRVxzQ=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.17/go.mod h1:CO+WeGmIdj/MlPel2KwID9Gt7CNq4M65HUfBW97liM0=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22/go.mod h1:zd/JsJ4P7oGfUhXn1VyLqaRZwPmZwg44Jf2dS84Dm3Y=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5 h1:CeY9LUdur+Dxoeldqoun6y4WtJ3RQtzk0JMP2gfUay0=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5/go.mod h1:AZLZf2fMaahW5s/wMRciu1sYbdsikT/UHwbUjOdEVTc=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.8 h1:Z5EiPIzXKewUQK0QTMkutjiaPVeVYXX7KIqhXu/0fXs=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13 h1:JRaIgADQS/U6uXDqlPiefP32yXTda7Kqfx+LgspooZM=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.8/go.mod h1:FsTpJtvC4U1fyDXk7c71XoDv3HlRm8V3NiYLeYLh5YE=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13/go.mod h1:CEuVn5WqOMilYl+tbccq8+N2ieCy0gVn3OtRb0vBNNM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18 h1:LTRCYFlnnKFlKsyIQxKhJuDuA3ZkrDQMRYm6rXiHlLY=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 h1:c31//R3xgIJMSC8S6hEVq+38DcvUlgFY0FM6mSI5oto=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18/go.mod h1:XhwkgGG6bHSd00nO/mexWTcTjgd6PjuvWQMqSn2UaEk=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21/go.mod h1:r6+pf23ouCB718FUxaqzZdbpYFyDtehyZcmP5KL9FkA=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.17 h1:bGeHBsGZx0Dvu/eJC0Lh9adJa3M1xREcndxLNZlve2U=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 h1:ZlvrNcHSFFWURB8avufQq9gFsheUgjVD9536obIknfM=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.17/go.mod h1:dcW24lbU0CzHusTE8LLHhRLI42ejmINN8Lcr22bwh/g=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21/go.mod h1:cv3TNhVrssKR0O/xxLJVRfd2oazSnZnkUeTf6ctUwfQ=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.96.0 h1:oeu8VPlOre74lBA/PMhxa5vewaMIMmILM+RraSyB8KA=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3 h1:HwxWTbTrIHm5qY+CAEur0s/figc3qwvLWsNkF4RPToo=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.96.0/go.mod h1:5jggDlZ2CLQhwJBiZJb4vfk4f0GxWdEDruWKEJ1xOdo=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3/go.mod h1:uoA43SdFwacedBfSgfFSjjCvYe8aYBS7EnU5GZ/YKMM=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.6 h1:MzORe+J94I+hYu2a6XmV5yC9huoTv8NRcCrUNedDypQ=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 h1:0GFOLzEbOyZABS3PhYfBIx2rNBACYcKty+XGkTgw1ow=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.6/go.mod h1:hXzcHLARD7GeWnifd8j9RWqtfIgxj4/cAtIVIK7hg8g=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.8/go.mod h1:LXypKvk85AROkKhOG6/YEcHFPoX+prKTowKnVdcaIxE=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.11 h1:7oGD8KPfBOJGXiCoRKrrrQkbvCp8N++u36hrLMPey6o=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 h1:kiIDLZ005EcKomYYITtfsjn7dtOwHDOFy7IbPXKek2o=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.11/go.mod h1:0DO9B5EUJQlIDif+XJRWCljZRKsAFKh3gpFz7UnDtOo=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.13/go.mod h1:2h/xGEowcW/g38g06g3KpRWDlT+OTfxxI0o1KqayAB8=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15 h1:edCcNp9eGIUDUCrzoCu1jWAXLGFIizeqkdkKgRlJwWc=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 h1:jzKAXIlhZhJbnYwHbvUQZEB8KfgAEuG0dc08Bkda7NU=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15/go.mod h1:lyRQKED9xWfgkYC/wmmYfv7iVIM68Z5OQ88ZdcV1QbU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17/go.mod h1:Al9fFsXjv4KfbzQHGe6V4NZSZQXecFcvaIF4e70FoRA=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.7 h1:NITQpgo9A5NrDZ57uOWj+abvXSb83BbyggcUBVksN7c=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 h1:Cng+OOwCHmFljXIxpEVXAGMnBia8MSU6Ch5i9PgBkcU=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.7/go.mod h1:sks5UWBhEuWYDPdwlnRFn1w7xWdH29Jcpe+/PJQefEs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.9/go.mod h1:LrlIndBDdjA/EeXeyNBle+gyCwTlizzW5ycgWnvIxkk=
-github.com/aws/smithy-go v1.24.1 h1:VbyeNfmYkWoxMVpGUAbQumkODcYmfMRfZ8yQiH30SK0=
+github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
-github.com/aws/smithy-go v1.24.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymanbagabas/go-udiff v0.3.1 h1:LV+qyBQ2pqe0u42ZsUEtPiCaUoqgA9gYRDs3vj1nolY=
@ -294,14 +292,14 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=
 github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
-github.com/containerd/cgroups/v3 v3.1.2 h1:OSosXMtkhI6Qove637tg1XgK4q+DhR0mX8Wi8EhrHa4=
+github.com/containerd/cgroups/v3 v3.1.3 h1:eUNflyMddm18+yrDmZPn3jI7C5hJ9ahABE5q6dyLYXQ=
-github.com/containerd/cgroups/v3 v3.1.2/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw=
+github.com/containerd/cgroups/v3 v3.1.3/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw=
-github.com/containerd/containerd/api v1.10.0 h1:5n0oHYVBwN4VhoX9fFykCV9dF1/BvAXeg2F8W6UYq1o=
+github.com/containerd/containerd/api v1.11.1 h1:h8nfoDW9+fNsC/9TwiAHj8B1GzXKtR4eFtkhi/X5RLU=
-github.com/containerd/containerd/api v1.10.0/go.mod h1:NBm1OAk8ZL+LG8R0ceObGxT5hbUYj7CzTmR3xh0DlMM=
+github.com/containerd/containerd/api v1.11.1/go.mod h1:CaQFRu+N1MtbgL6JDOJLUB1hCKESU1lD6MuTJhgtdlw=
-github.com/containerd/containerd/v2 v2.2.1 h1:TpyxcY4AL5A+07dxETevunVS5zxqzuq7ZqJXknM11yk=
+github.com/containerd/containerd/v2 v2.3.1 h1:4dVXBdlvotRBlaP2TmNbY/EGc06KJrMDDUqQdxX/HOk=
-github.com/containerd/containerd/v2 v2.2.1/go.mod h1:NR70yW1iDxe84F2iFWbR9xfAN0N2F0NcjTi1OVth4nU=
+github.com/containerd/containerd/v2 v2.3.1/go.mod h1:xVoxGPWZBwwph8DF2IbDhriLKdHfjdpO0b3wFP9wQ1I=
-github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
+github.com/containerd/continuity v0.5.0 h1:7a85HZpCSs+1Zps0Ee3DPSuAWY+0SJM1JNM51nlEVDg=
-github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
+github.com/containerd/continuity v0.5.0/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
@ -310,14 +308,12 @@ github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY
 github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/platforms v1.0.0-rc.2 h1:0SPgaNZPVWGEi4grZdV8VRYQn78y+nm6acgLGv/QzE4=
+github.com/containerd/platforms v1.0.0-rc.4 h1:M42JrUT4zfZTqtkUwkr0GzmUWbfyO5VO0Q5b3op97T4=
-github.com/containerd/platforms v1.0.0-rc.2/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
+github.com/containerd/platforms v1.0.0-rc.4/go.mod h1:lKlMXyLybmBedS/JJm11uDofzI8L2v0J2ZbYvNsbq1A=
-github.com/containerd/plugin v1.0.0 h1:c8Kf1TNl6+e2TtMHZt+39yAPDbouRH9WAToRjex483Y=
+github.com/containerd/plugin v1.1.0 h1:O+7lczNJVMy8rz0YNx3xGB8tTf5qY4i5abF041Ew19U=
-github.com/containerd/plugin v1.0.0/go.mod h1:hQfJe5nmWfImiqT1q8Si3jLv3ynMUIBB47bQ+KexvO8=
+github.com/containerd/plugin v1.1.0/go.mod h1:qBTum+A8lJ6lO44A19Eo7y1OlcLj4OWFH1DA/vnHmcc=
-github.com/containerd/stargz-snapshotter/estargz v0.18.2 h1:yXkZFYIzz3eoLwlTUZKz2iQ4MrckBxJjkmD16ynUTrw=
+github.com/containerd/ttrpc v1.2.8 h1:xbVu6D4qF2jihdh9rDVOKqUMiFBQk6YctTdo1zk087Y=
-github.com/containerd/stargz-snapshotter/estargz v0.18.2/go.mod h1:XyVU5tcJ3PRpkA9XS2T5us6Eg35yM0214Y+wvrZTBrY=
+github.com/containerd/ttrpc v1.2.8/go.mod h1:wyZW2K79t4Hfcxl+GUvkZqRBzJlqFFvgEeeWXa42tyE=
 github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ=
 github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
 github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=
 github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@ -325,8 +321,8 @@ github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
 github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cyphar/filepath-securejoin v0.6.0 h1:BtGB77njd6SVO6VztOHfPxKitJvd/VPT+OFBFMOi1Is=
+github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
-github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
+github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/dave/jennifer v1.7.1 h1:B4jJJDHelWcDhlRQxWeo0Npa/pYKBLrirAQoTN45txo=
 github.com/dave/jennifer v1.7.1/go.mod h1:nXbxhEmQfOZhWml3D1cDK5M1FLnMSozpbFN/m3RmGZc=
 github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -337,20 +333,18 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8Yc
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da h1:ZOjWpVsFZ06eIhnh4mkaceTiVoktdU67+M7KDHJ268M=
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da/go.mod h1:B3tI9iGHi4imdLi4Asdha1Sc6feLMTfPLXh9IUYmysk=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
-github.com/diskfs/go-diskfs v1.7.0 h1:vonWmt5CMowXwUc79jWyGrf2DIMeoOjkLlMnQYGVOs8=
+github.com/diskfs/go-diskfs v1.9.3 h1:cLciNCeZ4QAXVxyPJDr1ZJ9N9CCG3rQlQ/z/Cs/cNDM=
-github.com/diskfs/go-diskfs v1.7.0/go.mod h1:LhQyXqOugWFRahYUSw47NyZJPezFzB9UELwhpszLP/k=
+github.com/diskfs/go-diskfs v1.9.3/go.mod h1:TePJORO83Adh5pb2SqsxAwaP0fofFxKLkxctiS/9OQc=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v29.3.0+incompatible h1:z3iWveU7h19Pqx7alZES8j+IeFQZ1lhTwb2F+V9SVvk=
+github.com/docker/cli v29.4.3+incompatible h1:u+UliYm2J/rYrIh2FqHQg32neRG8GjbvNuwQRTzGspU=
-github.com/docker/cli v29.3.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.4.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker-credential-helpers v0.9.5 h1:EFNN8DHvaiK8zVqFA2DT6BjXE0GzfLOZ38ggPTKePkY=
 github.com/docker/docker-credential-helpers v0.9.5/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c=
-github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.7.0 h1:6SsRfJddP22WMrCkj19x9WKjEDTB+ahsdiGYf0mN39c=
-github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
+github.com/docker/go-connections v0.7.0/go.mod h1:no1qkHdjq7kLMGUXYAduOhYPSJxxvgWBh7ogVvptn3Q=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 h1:2tV76y6Q9BB+NEBasnqvs7e49aEBFI8ejC89PSnWH+4=
@ -362,8 +356,8 @@ github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o
 github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/elliotchance/phpserialize v1.4.0 h1:cAp/9+KSnEbUC8oYCE32n2n84BeW8HOY3HMDI8hG2OY=
 github.com/elliotchance/phpserialize v1.4.0/go.mod h1:gt7XX9+ETUcLXbtTKEuyrqW3lcLUAeS/AnGZ2e49TZs=
-github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY=
+github.com/elliotwutingfeng/asciiset v0.0.0-20260129054604-cfde2086bc57 h1:x5yxNrq8XffV/OoNUeFPM6hxHVi5OTspSTBxr/9pemg=
-github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
+github.com/elliotwutingfeng/asciiset v0.0.0-20260129054604-cfde2086bc57/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@ -387,6 +381,8 @@ github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg
 github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
 github.com/erofs/go-erofs v0.3.0 h1:o/W5ABAA3sHYl97WL93dacKEfeDpJhdFf3c2snAti7I=
 github.com/erofs/go-erofs v0.3.0/go.mod h1:XkSeN9MHszGd4+3gcEjadJLYHCQpWzJ7/8yznzMuzJs=
 github.com/facebookincubator/flog v0.0.0-20190930132826-d2511d0ce33c/go.mod h1:QGzNH9ujQ2ZUr/CjDGZGWeDAVStrWNjHeEcjJL96Nuk=
 github.com/facebookincubator/nvdtools v0.1.5 h1:jbmDT1nd6+k+rlvKhnkgMokrCAzHoASWE5LtHbX2qFQ=
 github.com/facebookincubator/nvdtools v0.1.5/go.mod h1:Kh55SAWnjckS96TBSrXI99KrEKH4iB0OJby3N8GRJO4=
@ -410,29 +406,29 @@ github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8
 github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
 github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/github/go-spdx/v2 v2.4.0 h1:+4IwVwJJbm3rzvrQ6P1nI9BDMcy3la4RchRy5uehV/M=
+github.com/github/go-spdx/v2 v2.7.0 h1:GzfXx4wFdlilARxmFRXW/mgUy3A4vSqZocCMFV6XFdQ=
-github.com/github/go-spdx/v2 v2.4.0/go.mod h1:/5rwgS0txhGtRdUZwc02bTglzg6HK3FfuEbECKlK2Sg=
+github.com/github/go-spdx/v2 v2.7.0/go.mod h1:Ftc45YYG1WzpzwEPKRVm9Jv8vDqOrN4gWoCkK+bHer0=
-github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs=
+github.com/gkampitakis/ciinfo v0.3.4 h1:5eBSibVuSMbb/H6Elc0IIEFbkzCJi3lm94n0+U7Z0KY=
-github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
+github.com/gkampitakis/ciinfo v0.3.4/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
-github.com/gkampitakis/go-snaps v0.5.21 h1:SvhSFeZviQXwlT+dnGyAIATVehkhqRVW6qfQZhCZH+Y=
+github.com/gkampitakis/go-snaps v0.5.22 h1:xg9omphRnbDnimMCl1KqznC4krlxOGpkB0vDSfX2P7M=
-github.com/gkampitakis/go-snaps v0.5.21/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs=
+github.com/gkampitakis/go-snaps v0.5.22/go.mod h1:uy3lVzCCRRsAwYqSocyw5fY8xRLCYEfqoOJNxr8HonM=
 github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4=
 github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0=
+github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmmBPA=
-github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
+github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.17.0 h1:AbyI4xf+7DsjINHMu35quAh4wJygKBKBuXVjV/pxesM=
+github.com/go-git/go-git/v5 v5.19.1 h1:nX27AnaU43/K5bKktKwgBmR9lawoYVe1Ckg0rgzzN00=
-github.com/go-git/go-git/v5 v5.17.0/go.mod h1:f82C4YiLx+Lhi8eHxltLeGC5uBTXSFa6PC5WW9o4SjI=
+github.com/go-git/go-git/v5 v5.19.1/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
-github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
@ -513,8 +509,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-containerregistry v0.21.2 h1:vYaMU4nU55JJGFC9JR/s8NZcTjbE9DBBbvusTW9NeS0=
+github.com/google/go-containerregistry v0.21.6 h1:T+yqQIlJXKrM98Om4DlW3GoWQAmhZuLMwoDOvVrtiUM=
-github.com/google/go-containerregistry v0.21.2/go.mod h1:ctO5aCaewH4AK1AumSF5DPW+0+R+d2FmylMJdp5G7p0=
+github.com/google/go-containerregistry v0.21.6/go.mod h1:U7MMSBIJynke2MVQrQk19NP9k/uQsGz/h0amIFSHMbo=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/licensecheck v0.3.1 h1:QoxgoDkaeC4nFrtGN1jV7IPmDCHFNIVh54e5hSt6sPs=
 github.com/google/licensecheck v0.3.1/go.mod h1:ORkR35t/JjW+emNKtfJDII0zlciG9JgbT7SmsohlHmY=
@ -549,8 +545,8 @@ github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.11 h1:vAe81Msw+8tKUxi2Dqh/NZMz7475yUvmRIkXr4oN2ao=
+github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8=
-github.com/googleapis/enterprise-certificate-proxy v0.3.11/go.mod h1:RFV7MUdlb7AgEq2v7FmMCfeSMCllAzWxFgRdusoGks8=
+github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
@ -560,13 +556,13 @@ github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOID
 github.com/gookit/assert v0.1.1 h1:lh3GcawXe/p+cU7ESTZ5Ui3Sm/x8JWpIis4/1aF0mY0=
 github.com/gookit/assert v0.1.1/go.mod h1:jS5bmIVQZTIwk42uXl4lyj4iaaxx32tqH16CFj0VX2E=
 github.com/gookit/color v1.2.5/go.mod h1:AhIE+pS6D4Ql0SQWbBeXPHw7gY0/sjHoA4s/n1KB7xg=
-github.com/gookit/color v1.6.0 h1:JjJXBTk1ETNyqyilJhkTXJYYigHG24TM9Xa2M1xAhRA=
+github.com/gookit/color v1.6.1 h1:KoTnDxJPRgrL0SoX0f8rCFg2zI0t4E3GZZBMo2nN8LU=
-github.com/gookit/color v1.6.0/go.mod h1:9ACFc7/1IpHGBW8RwuDm/0YEnhg3dwwXpoMsmtyHfjs=
+github.com/gookit/color v1.6.1/go.mod h1:9ACFc7/1IpHGBW8RwuDm/0YEnhg3dwwXpoMsmtyHfjs=
-github.com/gpustack/gguf-parser-go v0.24.0 h1:tdJceXYp9e5RhE9RwVYIuUpir72Jz2D68NEtDXkKCKc=
+github.com/gpustack/gguf-parser-go v0.24.1 h1:nTYtL8HFK6ZhB90RKBu4oX2b3ZHpJLrMmKRfL9w9Cyc=
-github.com/gpustack/gguf-parser-go v0.24.0/go.mod h1:y4TwTtDqFWTK+xvprOjRUh+dowgU2TKCX37vRKvGiZ0=
+github.com/gpustack/gguf-parser-go v0.24.1/go.mod h1:y4TwTtDqFWTK+xvprOjRUh+dowgU2TKCX37vRKvGiZ0=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.70 h1:0HADrxxqaQkGycO1JoUUA+B4FnIkuo8d2bz/hSaTFFQ=
+github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.72 h1:vTCWu1wbdYo7PEZFem/rlr01+Un+wwVmI7wiegFdRLk=
-github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.70/go.mod h1:fm2FdDCzJdtbXF7WKAMvBb5NEPouXPHFbGNYs9ShFns=
+github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.72/go.mod h1:Vn+BBgKQHVQYdVQ4NZDICE1Brb+JfaONyDHr3q07oQc=
 github.com/hashicorp/consul/api v1.11.0/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M=
 github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@ -576,8 +572,8 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-getter v1.8.5 h1:DMPV5CSw5JrNg/IK7kDZt3+l2REKXOi3oAw7uYLh2NM=
+github.com/hashicorp/go-getter v1.8.6 h1:9sQboWULaydVphxc4S64oAI4YqpuCk7nPmvbk131ebY=
-github.com/hashicorp/go-getter v1.8.5/go.mod h1:WIffejwAyDSJhoVptc3UEshEMkR9O63rw34V7k43O3Q=
+github.com/hashicorp/go-getter v1.8.6/go.mod h1:nVH12eOV2P58dIiL3rsU6Fh3wLeJEKBOJzhMmzlSWoo=
 github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v1.0.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
@ -624,12 +620,12 @@ github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/invopop/jsonschema v0.13.0 h1:KvpoAJWEjR3uD9Kbm2HWJmqsEaHt8lBUpd0qHcIi21E=
+github.com/invopop/jsonschema v0.14.0 h1:MHQqLhvpNUZfw+hM3AZDYK7jxO8FZoQeQM77g8iyZjg=
-github.com/invopop/jsonschema v0.13.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0=
+github.com/invopop/jsonschema v0.14.0/go.mod h1:ygm6C2EaVNMBDPpaPlnOA2pFAxBnxGjFlMZABxm9n2I=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
-github.com/jedib0t/go-pretty/v6 v6.7.8 h1:BVYrDy5DPBA3Qn9ICT+PokP9cvCv1KaHv2i+Hc8sr5o=
+github.com/jedib0t/go-pretty/v6 v6.7.10 h1:B/2qW2Bkv2L6n14PP8o1kx75kWzHOQ3YTluWzg9icac=
-github.com/jedib0t/go-pretty/v6 v6.7.8/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU=
+github.com/jedib0t/go-pretty/v6 v6.7.10/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU=
 github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
 github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
@ -648,9 +644,11 @@ github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
+github.com/klauspost/compress v1.18.6 h1:2jupLlAwFm95+YDR+NwD2MEfFO9d4z4Prjl1XXDjuao=
-github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/compress v1.18.6/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@ -673,10 +671,9 @@ github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc8
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
 github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo=
+github.com/maruel/natural v1.3.0 h1:VsmCsBmEyrR46RomtgHs5hbKADGRVtliHTyCOLFBpsg=
-github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=
+github.com/maruel/natural v1.3.0/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
@ -725,10 +722,10 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
-github.com/moby/moby/api v1.54.0 h1:7kbUgyiKcoBhm0UrWbdrMs7RX8dnwzURKVbZGy2GnL0=
+github.com/moby/moby/api v1.54.2 h1:wiat9QAhnDQjA7wk1kh/TqHz2I1uUA7M7t9SAl/JNXg=
-github.com/moby/moby/api v1.54.0/go.mod h1:8mb+ReTlisw4pS6BRzCMts5M49W5M7bKt1cJy/YbAqc=
+github.com/moby/moby/api v1.54.2/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs=
-github.com/moby/moby/client v0.3.0 h1:UUGL5okry+Aomj3WhGt9Aigl3ZOxZGqR7XPo+RLPlKs=
+github.com/moby/moby/client v0.4.1 h1:DMQgisVoMkmMs7fp3ROSdiBnoAu8+vo3GggFl06M/wY=
-github.com/moby/moby/client v0.3.0/go.mod h1:HJgFbJRvogDQjbM8fqc1MCEm4mIAGMLjXbgwoZp6jCQ=
+github.com/moby/moby/client v0.4.1/go.mod h1:z52C9O2POPOsnxZAy//WtKcQ32P+jT/NGeXu/7nfjGQ=
 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
 github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
 github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
@ -778,22 +775,22 @@ github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJw
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg=
 github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE=
 github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pb33f/ordered-map/v2 v2.3.1 h1:5319HDO0aw4DA4gzi+zv4FXU9UlSs3xGZ40wcP1nBjY=
 github.com/pb33f/ordered-map/v2 v2.3.1/go.mod h1:qxFQgd0PkVUtOMCkTapqotNgzRhMPL7VvaHKbd1HnmQ=
 github.com/pborman/indent v1.2.1 h1:lFiviAbISHv3Rf0jcuh489bi06hj98JsVMtIDZQb9yM=
 github.com/pborman/indent v1.2.1/go.mod h1:FitS+t35kIYtB5xWTZAPhnmrxcciEEOdbyrrpz5K6Vw=
 github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.3.1 h1:MYEvvGnQjeNkRF1qUuGolNtNExTDwct51yp7olPtrEc=
-github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pelletier/go-toml/v2 v2.3.1/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
-github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
+github.com/pierrec/lz4/v4 v4.1.26 h1:GrpZw1gZttORinvzBdXPUXATeqlJjqUG/D87TKMnhjY=
-github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pierrec/lz4/v4 v4.1.26/go.mod h1:EoQMVJgeeEOMsCqCzqFm2O0cJvljX2nGZjcRIPL34O4=
-github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
+github.com/pjbgf/sha1cd v0.6.0 h1:3WJ8Wz8gvDz29quX1OcEmkAlUg9diU4GxJHqs0/XiwU=
-github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
+github.com/pjbgf/sha1cd v0.6.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@ -802,8 +799,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
-github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
+github.com/pkg/xattr v0.4.12 h1:rRTkSyFNTRElv6pkA3zpjHpQ90p/OdHQC1GmGh1aTjM=
-github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
+github.com/pkg/xattr v0.4.12/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@ -824,8 +821,8 @@ github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8b
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
-github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
-github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
 github.com/quasilyte/go-ruleguard/dsl v0.3.23 h1:lxjt5B6ZCiBeeNO8/oQsegE6fLeCzuMRoVWSkXC4uvY=
 github.com/quasilyte/go-ruleguard/dsl v0.3.23/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
@ -843,8 +840,8 @@ github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c/go.m
 github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd/go.mod h1:hPqNNc0+uJM6H+SuU8sEs5K5IQeKccPqeSjfgcKGgPk=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig=
-github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo=
+github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
-github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
+github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=
 github.com/sahilm/fuzzy v0.1.1 h1:ceu5RHF8DGgoi+/dR5PsECjCDH1BE3Fnmpo7aVXOdRA=
 github.com/sahilm/fuzzy v0.1.1/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y=
 github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d h1:hrujxIzL1woJ7AwssoOcM/tq5JjjG2yYOc8odClEiXA=
@ -875,8 +872,8 @@ github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d h1:3VwvTjiRPA
 github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d/go.mod h1:tAG61zBM1DYRaGIPloumExGvScf08oHuo0kFoOqdbT0=
 github.com/sorairolake/lzip-go v0.3.8 h1:j5Q2313INdTA80ureWYRhX+1K78mUXfMoPZCw/ivWik=
 github.com/sorairolake/lzip-go v0.3.8/go.mod h1:JcBqGMV0frlxwrsE9sMWXDjqn3EeVf0/54YPsw66qkU=
-github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
+github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
-github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
+github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb h1:bLo8hvc8XFm9J47r690TUKBzcjSWdJDxmjXJZ+/f92U=
 github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
@ -887,8 +884,8 @@ github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z
 github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
 github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
+github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
-github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
 github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4=
 github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
 github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
@ -898,8 +895,8 @@ github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM=
-github.com/spf13/viper v1.20.0 h1:zrxIyR3RQIOsarIrgL8+sAvALXul9jeEPa06Y0Ph6vY=
+github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
-github.com/spf13/viper v1.20.0/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
+github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
 github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo=
 github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@ -927,13 +924,15 @@ github.com/sylabs/sif/v2 v2.24.0 h1:1wB5uMDUQYjk8AckTySaDcP9YnpMb1LyDRr1Jt9A10w=
 github.com/sylabs/sif/v2 v2.24.0/go.mod h1:DbXWqWZ1hdLSU+K9ipdds5AmZeHWsyxCOj/oQakBa88=
 github.com/sylabs/squashfs v1.0.6 h1:PvJcDzxr+vIm2kH56mEMbaOzvGu79gK7P7IX+R7BDZI=
 github.com/sylabs/squashfs v1.0.6/go.mod h1:DlDeUawVXLWAsSRa085Eo0ZenGzAB32JdAUFaB0LZfE=
 github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd h1:Rf9uhF1+VJ7ZHqxrG8pJ6YacmHvVCmByDmGbAWCc/gA=
 github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd/go.mod h1:EbW0wDK/qEUYI0A5bqq0C2kF8JTQwWONmGDBbzsxxHo=
 github.com/terminalstatic/go-xsd-validate v0.1.6 h1:TenYeQ3eY631qNi1/cTmLH/s2slHPRKTTHT+XSHkepo=
 github.com/terminalstatic/go-xsd-validate v0.1.6/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw=
 github.com/therootcompany/xz v1.0.1 h1:CmOtsn1CbtmyYiusbfmhmkpAAETj0wBIH6kCYaX+xzw=
 github.com/therootcompany/xz v1.0.1/go.mod h1:3K3UH1yCKgBneZYhuQUvJ9HPD19UEXEI0BWbMn8qNMY=
 github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
-github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
+github.com/tidwall/gjson v1.19.0 h1:xwxm7n691Uf3u5OFjzngavjGTh55KX5q/9w9xHW88JU=
-github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.19.0/go.mod h1:V37/opeE/JbLUOfH0QTXiNez2l0RUjYUhpT4szFQAfc=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
@ -947,16 +946,12 @@ github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
 github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/vbatts/go-mtree v0.7.0 h1:ytmOc3MTRidZiBi9VBCyZ2BHe4fZS47L5v7BVXDWW4E=
 github.com/vbatts/go-mtree v0.7.0/go.mod h1:EjdpFC+LZy1TXbRGNa1MKKgjQ+7ew3foMFJK8o4/TdY=
 github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4=
 github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
 github.com/vifraa/gopom v1.0.0 h1:L9XlKbyvid8PAIK8nr0lihMApJQg/12OBvMA28BcWh0=
 github.com/vifraa/gopom v1.0.0/go.mod h1:oPa1dcrGrtlO37WPDBm5SqHAT+wTgF8An1Q71Z6Vv4o=
 github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 h1:jIVmlAFIqV3d+DOxazTR9v+zgj8+VYuQBzPgBZvWBHA=
 github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651/go.mod h1:b26F2tHLqaoRQf8DywqzVaV1MQ9yvjb0OMcNl7Nxu20=
 github.com/wagoodman/go-progress v0.0.0-20260303201901-10176f79b2c0 h1:EHsPe0Q0ANoLOZff1dBLAyeWLTA4sbPTpGI+2zb0FnM=
 github.com/wagoodman/go-progress v0.0.0-20260303201901-10176f79b2c0/go.mod h1:g/D9uEUFp5YLyciwCpVsSOZOm56hfv4rzGJod6MlqIM=
 github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@ -1000,34 +995,32 @@ go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/detectors/gcp v1.39.0 h1:kWRNZMsfBHZ+uHjiH4y7Etn2FK26LAGkNFw7RHv1DhE=
 go.opentelemetry.io/contrib/detectors/gcp v1.39.0/go.mod h1:t/OGqzHBa5v6RHZwrDBJ2OirWc+4q/w2fTbLZwAKjTk=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 h1:YH4g8lQroajqUwWbq/tr2QX1JFmEXaDLgG+ew9bLMWo=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0 h1:0Qx7VGBacMm9ZENQ7TnNObTYI4ShC+lHI16seduaxZo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0/go.mod h1:Sje3i3MjSPKTSPvVWCaL8ugBzJwik3u4smCjUeuupqg=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
-go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
-go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0 h1:5gn2urDL/FBnK8OkCfD1j3/ER79rUuTYmCvlXBKeYL8=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0 h1:ZrPRak/kS4xI3AVXy8F7pipuDXmDsrO8Lg+yQjBLjw0=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0/go.mod h1:0fBG6ZJxhqByfFZDwSwpZGzJU671HkwpWaNe2t4VUPI=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0/go.mod h1:3y6kQCWztq6hyW8Z9YxQDDm0Je9AJoFar2G0yDcmhRk=
-go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
-go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
-go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
-go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
-go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
-go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
-go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
-go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
 go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 go.yaml.in/yaml/v4 v4.0.0-rc.2 h1:/FrI8D64VSr4HtGIlUtlFMGsm7H7pWTbj6vOLVZcA6s=
 go.yaml.in/yaml/v4 v4.0.0-rc.2/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
 go4.org v0.0.0-20230225012048-214862532bf5 h1:nifaUDeh+rPaBCMPMQHZmvJf+QdpLFnuQPwx+LxVmtc=
 go4.org v0.0.0-20230225012048-214862532bf5/go.mod h1:F57wTi5Lrj6WLyswp5EYV1ncrEbFGHD4hhz6S1ZYeaU=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@ -1042,8 +1035,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -1054,8 +1047,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@ -1083,8 +1076,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
-golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -1129,8 +1122,8 @@ golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -1238,13 +1231,13 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
-golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -1255,8 +1248,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@ -1317,16 +1310,16 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
-golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
+golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
-gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
-gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@ -1359,8 +1352,8 @@ google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdr
 google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU=
 google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
 google.golang.org/api v0.62.0/go.mod h1:dKmwPCydfsad4qCH08MSdgWjfHOyfpd4VtDGgRFdavw=
-google.golang.org/api v0.267.0 h1:w+vfWPMPYeRs8qH1aYYsFX68jMls5acWl/jocfLomwE=
+google.golang.org/api v0.271.0 h1:cIPN4qcUc61jlh7oXu6pwOQqbJW2GqYh5PS6rB2C/JY=
-google.golang.org/api v0.267.0/go.mod h1:Jzc0+ZfLnyvXma3UtaTl023TdhZu6OMBP9tJ+0EmFD0=
+google.golang.org/api v0.271.0/go.mod h1:CGT29bhwkbF+i11qkRUJb2KMKqcJ1hdFceEIRd9u64Q=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@ -1433,10 +1426,10 @@ google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ6
 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH80teYd2em3xtIkkHd7ZhqfH2N9CsM=
 google.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=
-google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 h1:7ei4lp52gK1uSejlA8AZl5AJjeLUOHBQscRQZUgAcu0=
+google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=
-google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE=
+google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d h1:wT2n40TBqFY6wiwazVK9/iTWbsQrgk5ZfCSVFLO9LQA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@ -1464,8 +1457,8 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
+google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
-google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@ -1480,8 +1473,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af h1:+5/Sw3GsDNlEmu7TfklWKPdQ0Ykja5VEmq2i817+jbI=
-google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@ -1512,10 +1505,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
+modernc.org/cc/v4 v4.28.2 h1:3tQ0lf2ADtoby2EtSP+J7IE2SHwEJdP8ioR59wx7XpY=
-modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/cc/v4 v4.28.2/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
-modernc.org/ccgo/v4 v4.32.0 h1:hjG66bI/kqIPX1b2yT6fr/jt+QedtP2fqojG2VrFuVw=
+modernc.org/ccgo/v4 v4.34.0 h1:yRLPFZieg532OT4rp4JFNIVcquwalMX26G95WQDqwCQ=
-modernc.org/ccgo/v4 v4.32.0/go.mod h1:6F08EBCx5uQc38kMGl+0Nm0oWczoo1c7cgpzEry7Uc0=
+modernc.org/ccgo/v4 v4.34.0/go.mod h1:AS5WYMyBakQ+fhsHhtP8mWB82KTGPkNNJDGfGQCe0/A=
 modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
 modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
@ -1524,18 +1517,18 @@ modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
 modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw=
+modernc.org/libc v1.72.3 h1:ZnDF4tXn4NBXFutMMQC4vtbTFSXhhKzR73fv0beZEAU=
-modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo=
+modernc.org/libc v1.72.3/go.mod h1:dn0dZNnnn1clLyvRxLxYExxiKRZIRENOfqQ8XEeg4Qs=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
 modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
-modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
+modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
-modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
+modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.46.2 h1:gkXQ6R0+AjxFC/fTDaeIVLbNLNrRoOK7YYVz5BKhTcE=
+modernc.org/sqlite v1.51.0 h1:aH/MMSoayAIhozZ7uJbVTT9QO/VhzBf0J9tymmmuC/U=
-modernc.org/sqlite v1.46.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
+modernc.org/sqlite v1.51.0/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
--- a/install.sh
+++ b/install.sh
@ -154,6 +154,7 @@ uname_arch_check() (
    mipsle) return 0 ;;
    mips64) return 0 ;;
    mips64le) return 0 ;;
    riscv64) return 0 ;;
    s390x) return 0 ;;
    amd64p32) return 0 ;;
  esac
--- a/internal/capabilities/evaluation.go
+++ b/internal/capabilities/evaluation.go
@ -5,8 +5,8 @@ import "reflect"
 // EvaluateCapabilities evaluates a capability set against a given configuration
 // and returns the effective capability values as a flat map.
 // Example: {"license": false, "dependency.depth": ["direct", "indirect"]}
-func EvaluateCapabilities(caps CapabilitySet, config map[string]interface{}) map[string]interface{} {
+func EvaluateCapabilities(caps CapabilitySet, config map[string]any) map[string]any {
-	result := make(map[string]interface{})
+	result := make(map[string]any)
 	for _, capField := range caps {
 		result[capField.Name] = EvaluateField(capField, config)
 	}
@ -16,7 +16,7 @@ func EvaluateCapabilities(caps CapabilitySet, config map[string]interface{}) map
 // EvaluateField evaluates a single capability field against a configuration.
 // Conditions are evaluated in order, and the first matching condition's value is returned.
 // If no conditions match, the default value is returned.
-func EvaluateField(capField CapabilityField, config map[string]interface{}) interface{} {
+func EvaluateField(capField CapabilityField, config map[string]any) any {
 	// check conditions in order (first match wins)
 	for _, cond := range capField.Conditions {
 		if ConditionMatches(cond.When, config) {
@ -30,7 +30,7 @@ func EvaluateField(capField CapabilityField, config map[string]interface{}) inte
 // ConditionMatches checks if a condition's when clause matches the given configuration.
 // All fields in the when clause must match the config (AND logic).
 // Returns true if all key-value pairs in when match the config.
-func ConditionMatches(when map[string]interface{}, config map[string]interface{}) bool {
+func ConditionMatches(when map[string]any, config map[string]any) bool {
 	// all fields in when must match config (AND logic)
 	for key, expectedValue := range when {
 		actualValue, exists := config[key]
@ -46,7 +46,7 @@ func ConditionMatches(when map[string]interface{}, config map[string]interface{}
 // valuesEqual compares two values for equality, handling different types appropriately.
 // Uses reflect.DeepEqual for complex types like slices and maps.
-func valuesEqual(a, b interface{}) bool {
+func valuesEqual(a, b any) bool {
 	// handle nil cases
 	if a == nil && b == nil {
 		return true
--- a/internal/capabilities/evaluation_test.go
+++ b/internal/capabilities/evaluation_test.go
@ -10,8 +10,8 @@ import (
 func Test_valuesEqual(t *testing.T) {
 	tests := []struct {
 		name string
-		a    interface{}
+		a    any
-		b    interface{}
+		b    any
 		want bool
 	}{
 		{
@ -123,47 +123,47 @@ func Test_valuesEqual(t *testing.T) {
 func TestConditionMatches(t *testing.T) {
 	tests := []struct {
 		name   string
-		when   map[string]interface{}
+		when   map[string]any
-		config map[string]interface{}
+		config map[string]any
 		want   bool
 	}{
 		{
 			name:   "empty when clause matches anything",
-			when:   map[string]interface{}{},
+			when:   map[string]any{},
-			config: map[string]interface{}{"key": "value"},
+			config: map[string]any{"key": "value"},
 			want:   true,
 		},
 		{
 			name:   "empty when clause with empty config",
-			when:   map[string]interface{}{},
+			when:   map[string]any{},
-			config: map[string]interface{}{},
+			config: map[string]any{},
 			want:   true,
 		},
 		{
 			name:   "single key match",
-			when:   map[string]interface{}{"SearchLocalModCacheLicenses": true},
+			when:   map[string]any{"SearchLocalModCacheLicenses": true},
-			config: map[string]interface{}{"SearchLocalModCacheLicenses": true},
+			config: map[string]any{"SearchLocalModCacheLicenses": true},
 			want:   true,
 		},
 		{
 			name:   "single key mismatch",
-			when:   map[string]interface{}{"SearchLocalModCacheLicenses": true},
+			when:   map[string]any{"SearchLocalModCacheLicenses": true},
-			config: map[string]interface{}{"SearchLocalModCacheLicenses": false},
+			config: map[string]any{"SearchLocalModCacheLicenses": false},
 			want:   false,
 		},
 		{
 			name:   "key missing from config",
-			when:   map[string]interface{}{"SearchLocalModCacheLicenses": true},
+			when:   map[string]any{"SearchLocalModCacheLicenses": true},
-			config: map[string]interface{}{},
+			config: map[string]any{},
 			want:   false,
 		},
 		{
 			name: "multiple keys all match",
-			when: map[string]interface{}{
+			when: map[string]any{
 				"SearchLocalModCacheLicenses": true,
 				"UseNetwork":                  true,
 			},
-			config: map[string]interface{}{
+			config: map[string]any{
 				"SearchLocalModCacheLicenses": true,
 				"UseNetwork":                  true,
 				"ExtraKey":                    "ignored",
@ -172,11 +172,11 @@ func TestConditionMatches(t *testing.T) {
 		},
 		{
 			name: "multiple keys one mismatch",
-			when: map[string]interface{}{
+			when: map[string]any{
 				"SearchLocalModCacheLicenses": true,
 				"UseNetwork":                  true,
 			},
-			config: map[string]interface{}{
+			config: map[string]any{
 				"SearchLocalModCacheLicenses": true,
 				"UseNetwork":                  false,
 			},
@ -184,31 +184,31 @@ func TestConditionMatches(t *testing.T) {
 		},
 		{
 			name: "multiple keys one missing",
-			when: map[string]interface{}{
+			when: map[string]any{
 				"SearchLocalModCacheLicenses": true,
 				"UseNetwork":                  true,
 			},
-			config: map[string]interface{}{
+			config: map[string]any{
 				"SearchLocalModCacheLicenses": true,
 			},
 			want: false,
 		},
 		{
 			name:   "string value match",
-			when:   map[string]interface{}{"mode": "fast"},
+			when:   map[string]any{"mode": "fast"},
-			config: map[string]interface{}{"mode": "fast"},
+			config: map[string]any{"mode": "fast"},
 			want:   true,
 		},
 		{
 			name:   "slice value match",
-			when:   map[string]interface{}{"formats": []string{"json", "yaml"}},
+			when:   map[string]any{"formats": []string{"json", "yaml"}},
-			config: map[string]interface{}{"formats": []string{"json", "yaml"}},
+			config: map[string]any{"formats": []string{"json", "yaml"}},
 			want:   true,
 		},
 		{
 			name:   "slice value mismatch",
-			when:   map[string]interface{}{"formats": []string{"json", "yaml"}},
+			when:   map[string]any{"formats": []string{"json", "yaml"}},
-			config: map[string]interface{}{"formats": []string{"json", "xml"}},
+			config: map[string]any{"formats": []string{"json", "xml"}},
 			want:   false,
 		},
 	}
@ -225,8 +225,8 @@ func TestEvaluateField(t *testing.T) {
 	tests := []struct {
 		name     string
 		capField CapabilityField
-		config   map[string]interface{}
+		config   map[string]any
-		want     interface{}
+		want     any
 	}{
 		{
 			name: "no conditions returns default",
@ -235,7 +235,7 @@ func TestEvaluateField(t *testing.T) {
 				Default:    false,
 				Conditions: nil,
 			},
-			config: map[string]interface{}{},
+			config: map[string]any{},
 			want:   false,
 		},
 		{
@ -245,7 +245,7 @@ func TestEvaluateField(t *testing.T) {
 				Default:    false,
 				Conditions: []CapabilityCondition{},
 			},
-			config: map[string]interface{}{},
+			config: map[string]any{},
 			want:   false,
 		},
 		{
@ -260,7 +260,7 @@ func TestEvaluateField(t *testing.T) {
 					},
 				},
 			},
-			config: map[string]interface{}{"SearchLocalModCacheLicenses": true},
+			config: map[string]any{"SearchLocalModCacheLicenses": true},
 			want:   true,
 		},
 		{
@ -275,7 +275,7 @@ func TestEvaluateField(t *testing.T) {
 					},
 				},
 			},
-			config: map[string]interface{}{"SearchLocalModCacheLicenses": false},
+			config: map[string]any{"SearchLocalModCacheLicenses": false},
 			want:   false,
 		},
 		{
@ -294,7 +294,7 @@ func TestEvaluateField(t *testing.T) {
 					},
 				},
 			},
-			config: map[string]interface{}{
+			config: map[string]any{
 				"SearchLocalModCacheLicenses": true,
 				"SearchRemoteLicenses":        true,
 			},
@ -316,7 +316,7 @@ func TestEvaluateField(t *testing.T) {
 					},
 				},
 			},
-			config: map[string]interface{}{
+			config: map[string]any{
 				"SearchLocalModCacheLicenses": false,
 				"SearchRemoteLicenses":        true,
 			},
@ -338,7 +338,7 @@ func TestEvaluateField(t *testing.T) {
 					},
 				},
 			},
-			config: map[string]interface{}{
+			config: map[string]any{
 				"SearchLocalModCacheLicenses": false,
 				"SearchRemoteLicenses":        false,
 			},
@ -351,7 +351,7 @@ func TestEvaluateField(t *testing.T) {
 				Default:    []string{"direct", "indirect"},
 				Conditions: nil,
 			},
-			config: map[string]interface{}{},
+			config: map[string]any{},
 			want:   []string{"direct", "indirect"},
 		},
 		{
@ -369,7 +369,7 @@ func TestEvaluateField(t *testing.T) {
 					},
 				},
 			},
-			config: map[string]interface{}{
+			config: map[string]any{
 				"EnableFeatureA": true,
 				"EnableFeatureB": true,
 			},
@ -390,7 +390,7 @@ func TestEvaluateField(t *testing.T) {
 					},
 				},
 			},
-			config: map[string]interface{}{
+			config: map[string]any{
 				"EnableFeatureA": true,
 				"EnableFeatureB": false,
 			},
@ -412,14 +412,14 @@ func TestEvaluateCapabilities(t *testing.T) {
 	tests := []struct {
 		name   string
 		caps   CapabilitySet
-		config map[string]interface{}
+		config map[string]any
-		want   map[string]interface{}
+		want   map[string]any
 	}{
 		{
 			name:   "empty capability set",
 			caps:   CapabilitySet{},
-			config: map[string]interface{}{},
+			config: map[string]any{},
-			want:   map[string]interface{}{},
+			want:   map[string]any{},
 		},
 		{
 			name: "single capability no conditions",
@ -429,8 +429,8 @@ func TestEvaluateCapabilities(t *testing.T) {
 					Default: false,
 				},
 			},
-			config: map[string]interface{}{},
+			config: map[string]any{},
-			want: map[string]interface{}{
+			want: map[string]any{
 				"license": false,
 			},
 		},
@ -448,8 +448,8 @@ func TestEvaluateCapabilities(t *testing.T) {
 					},
 				},
 			},
-			config: map[string]interface{}{"SearchLocalModCacheLicenses": true},
+			config: map[string]any{"SearchLocalModCacheLicenses": true},
-			want: map[string]interface{}{
+			want: map[string]any{
 				"license": true,
 			},
 		},
@ -475,8 +475,8 @@ func TestEvaluateCapabilities(t *testing.T) {
 					Default: "flat",
 				},
 			},
-			config: map[string]interface{}{"SearchLocalModCacheLicenses": true},
+			config: map[string]any{"SearchLocalModCacheLicenses": true},
-			want: map[string]interface{}{
+			want: map[string]any{
 				"license":          true,
 				"dependency.depth": []string{"direct", "indirect"},
 				"dependency.edges": "flat",
@ -512,11 +512,11 @@ func TestEvaluateCapabilities(t *testing.T) {
 					Default: false,
 				},
 			},
-			config: map[string]interface{}{
+			config: map[string]any{
 				"SearchLocalModCacheLicenses": false,
 				"SearchRemoteLicenses":        true,
 			},
-			want: map[string]interface{}{
+			want: map[string]any{
 				"license":                       true,
 				"dependency.depth":              []string{"direct", "indirect"},
 				"dependency.edges":              "flat",
@ -526,10 +526,10 @@ func TestEvaluateCapabilities(t *testing.T) {
 		{
 			name: "nil capability set",
 			caps: nil,
-			config: map[string]interface{}{
+			config: map[string]any{
 				"anything": true,
 			},
-			want: map[string]interface{}{},
+			want: map[string]any{},
 		},
 	}
--- a/internal/capabilities/generate/discover_app_config.go
+++ b/internal/capabilities/generate/discover_app_config.go
@ -17,7 +17,7 @@ import (
 type AppConfigField struct {
 	Key          string // e.g., "golang.search-local-mod-cache-licenses"
 	Description  string // extracted from DescribeFields() method
-	DefaultValue interface{} // extracted from Default*() functions
+	DefaultValue any    // extracted from Default*() functions
 }
 // extractEcosystemConfigFieldsFromCatalog parses catalog.go and extracts the ecosystem-specific
@ -390,7 +390,7 @@ func extractDescriptionsFromDescribeFields(f *ast.File) map[string]string {
 }
 // extractNestedAppConfigs handles nested config structs like golang.MainModuleVersion
-func extractNestedAppConfigs(f *ast.File, parentKey, parentFieldName string, fieldType ast.Expr, descriptions map[string]string, defaults map[string]interface{}) []AppConfigField {
+func extractNestedAppConfigs(f *ast.File, parentKey, parentFieldName string, fieldType ast.Expr, descriptions map[string]string, defaults map[string]any) []AppConfigField {
 	var configs []AppConfigField
 	// find the nested struct type
@ -449,8 +449,8 @@ func extractNestedAppConfigs(f *ast.File, parentKey, parentFieldName string, fie
 		description := descriptions[nestedPath]
 		// try to get default value from nested defaults
-		var defaultValue interface{}
+		var defaultValue any
-		if nestedDefaults, ok := defaults[parentFieldName].(map[string]interface{}); ok {
+		if nestedDefaults, ok := defaults[parentFieldName].(map[string]any); ok {
 			defaultValue = nestedDefaults[fieldName]
 		}
@ -465,8 +465,8 @@ func extractNestedAppConfigs(f *ast.File, parentKey, parentFieldName string, fie
 }
 // extractAppDefaultValues extracts default values from the default*Config function
-func extractAppDefaultValues(f *ast.File) map[string]interface{} {
+func extractAppDefaultValues(f *ast.File) map[string]any {
-	defaults := make(map[string]interface{})
+	defaults := make(map[string]any)
 	for _, decl := range f.Decls {
 		funcDecl, ok := decl.(*ast.FuncDecl)
@ -518,7 +518,7 @@ func extractAppDefaultValues(f *ast.File) map[string]interface{} {
 }
 // extractAppValue extracts a Go value from an AST expression
-func extractAppValue(expr ast.Expr) interface{} {
+func extractAppValue(expr ast.Expr) any {
 	switch v := expr.(type) {
 	case *ast.BasicLit:
 		// string, int, bool literals
@ -543,7 +543,7 @@ func extractAppValue(expr ast.Expr) interface{} {
 		}
 	case *ast.CompositeLit:
 		// nested struct literal
-		nested := make(map[string]interface{})
+		nested := make(map[string]any)
 		for _, elt := range v.Elts {
 			kvExpr, ok := elt.(*ast.KeyValueExpr)
 			if !ok {
--- a/internal/capabilities/generate/discover_app_config_test.go
+++ b/internal/capabilities/generate/discover_app_config_test.go
@ -340,7 +340,7 @@ func TestExtractAppValue(t *testing.T) {
 	tests := []struct {
 		name string
 		src  string
-		want interface{}
+		want any
 	}{
 		{
 			name: "string literal",
@ -406,7 +406,7 @@ func TestExtractAppValue_NestedStruct(t *testing.T) {
 	got := extractAppValue(compositeLit)
 	// verify it's a map with the expected values
-	gotMap, ok := got.(map[string]interface{})
+	gotMap, ok := got.(map[string]any)
 	require.True(t, ok)
 	require.Equal(t, "value", gotMap["Field1"])
 	require.Equal(t, true, gotMap["Field2"])
--- a/internal/capabilities/generate/discover_catalogers.go
+++ b/internal/capabilities/generate/discover_catalogers.go
@ -567,8 +567,8 @@ func resolveImportedConstant(pkgName, constName string, ctx *parseContext) strin
 // resolveImportPath converts an import path to a file system path
 func resolveImportPath(importPath, repoRoot string) string {
 	// for github.com/anchore/syft/... imports, convert to repo-relative path
-	if strings.HasPrefix(importPath, "github.com/anchore/syft/") {
+	if after, ok := strings.CutPrefix(importPath, "github.com/anchore/syft/"); ok {
-		relPath := strings.TrimPrefix(importPath, "github.com/anchore/syft/")
+		relPath := after
 		return filepath.Join(repoRoot, relPath)
 	}
--- a/internal/capabilities/generate/io.go
+++ b/internal/capabilities/generate/io.go
@ -214,7 +214,7 @@ func mapCatalogerToEcosystem(cat capabilities.CatalogerEntry) string {
 }
 // updateNodeTreeEcosystem updates an existing ecosystem YAML node tree
-func updateNodeTreeEcosystem(rootNode *yaml.Node, doc interface{}) error {
+func updateNodeTreeEcosystem(rootNode *yaml.Node, doc any) error {
 	var newNode yaml.Node
 	if err := newNode.Encode(doc); err != nil {
 		return err
@ -242,7 +242,7 @@ func updateNodeTreeEcosystem(rootNode *yaml.Node, doc interface{}) error {
 }
 // updateNodeTreeAppConfig updates appconfig YAML node tree
-func updateNodeTreeAppConfig(rootNode *yaml.Node, doc interface{}) error {
+func updateNodeTreeAppConfig(rootNode *yaml.Node, doc any) error {
 	return updateNodeTreeEcosystem(rootNode, doc)
 }
--- a/internal/capabilities/generate/merge.go
+++ b/internal/capabilities/generate/merge.go
@ -490,11 +490,15 @@ func (e *EnrichmentData) EnrichWithBinaryClassifier(catalogerName string, entry
 			}
 			for _, o := range binaryClassifierOverrides[classifier.Class] {
 				cpeStrings := make([]string, len(o.CPEs))
 				for i, c := range o.CPEs {
 					cpeStrings[i] = c.Attributes.BindToFmtString()
 				}
 				packages = append(packages, capabilities.DetectorPackageInfo{
 					Class: o.Class,
 					Name:  o.Package,
 					PURL:  stripPURLVersion(o.PURL),
-					CPEs:  o.CPEs,
+					CPEs:  cpeStrings,
 					Type:  "BinaryPkg",
 				})
 			}
--- a/internal/capabilities/generate/overrides.go
+++ b/internal/capabilities/generate/overrides.go
@ -10,7 +10,7 @@ type binaryClassifierOverride struct {
 	Class   string
 	Package string
 	PURL    string
-	CPEs    []string
+	CPEs    []cpe.CPE
 }
 var binaryClassifierOverrides = map[string][]binaryClassifierOverride{
@ -96,12 +96,61 @@ var binaryClassifierOverrides = map[string][]binaryClassifierOverride{
 			CPEs:    singleCPE("cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 		},
 	},
 	"openssl-binary": {
 		{
 			Class:   "openssl-binary-aws-lc",
 			Package: "aws-lc",
 			PURL:    mustPURL("pkg:generic/aws-lc@version"),
 			CPEs:    singleCPE("cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 		},
 		{
 			Class:   "openssl-binary",
 			Package: "openssl",
 			PURL:    mustPURL("pkg:generic/openssl@version"),
 			CPEs:    singleCPE("cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 		},
 	},
 	"mysqld-binary": {
 		{
 			Class:   "mysqld-mysql-cluster-legacy-binary",
 			Package: "mysql-cluster",
 			PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},
 		},
 		{
 			Class:   "mysqld-mysql-cluster-binary",
 			Package: "mysql-cluster",
 			PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 				cpe.Must("cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 				cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},
 		},
 		{
 			Class:   "mysqld-mysql-server-binary",
 			Package: "mysql-server",
 			PURL:    mustPURL("pkg:generic/mysql-server@version"),
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 				cpe.Must("cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},
 		},
 	},
 }
 func mustPURL(purl string) string {
 	return purl
 }
-func singleCPE(cpeString string, _ ...any) []string {
+func singleCPE(cpeString string, source ...cpe.Source) []cpe.CPE {
-	return []string{cpeString}
+	src := cpe.GeneratedSource
 	if len(source) > 0 {
 		src = source[0]
 	}
 	return []cpe.CPE{
 		cpe.Must(cpeString, src),
 	}
 }
--- a/internal/capabilities/internal/load_capabilities_test.go
+++ b/internal/capabilities/internal/load_capabilities_test.go
@ -30,7 +30,7 @@ const requireParserObservations = false
 // metadataTypeCoverageExceptions lists metadata types that are allowed to not be represented in any cataloger
 var metadataTypeCoverageExceptions = strset.New(
-	reflect.TypeOf(pkg.MicrosoftKbPatch{}).Name(),
+	reflect.TypeFor[pkg.MicrosoftKbPatch]().Name(),
 )
 // packageTypeCoverageExceptions lists package types that are allowed to not be represented in any cataloger
@ -408,7 +408,7 @@ func TestCapabilityValueTypes(t *testing.T) {
 }
 // validateCapabilityValueType checks if a value matches the expected type for a capability field
-func validateCapabilityValueType(fieldPath string, value interface{}) error {
+func validateCapabilityValueType(fieldPath string, value any) error {
 	if value == nil {
 		return nil // nil is acceptable
 	}
@ -428,7 +428,7 @@ func validateCapabilityValueType(fieldPath string, value interface{}) error {
 		switch v := value.(type) {
 		case []string:
 			// ok
-		case []interface{}:
+		case []any:
 			// check each element is a string
 			for i, elem := range v {
 				if _, ok := elem.(string); !ok {
@ -829,7 +829,6 @@ func TestCapabilityEvidenceFieldReferences(t *testing.T) {
 	// validate each evidence reference
 	for _, ref := range allReferences {
 		ref := ref // capture for subtest
 		// create test name
 		testName := ref.catalogerName
@ -989,7 +988,6 @@ func validateCapabilitiesFilled(t *testing.T, catalogers []capabilities.Cataloge
 	checkCompletenessTestsEnabled(t)
 	for _, c := range catalogers {
 		c := c // capture loop variable for subtest
 		t.Run(c.Name, func(t *testing.T) {
 			if c.Type == "generic" {
@ -997,7 +995,6 @@ func validateCapabilitiesFilled(t *testing.T, catalogers []capabilities.Cataloge
 				require.NotEmpty(t, c.Parsers, "generic cataloger must have at least one parser")
 				for _, p := range c.Parsers {
 					p := p // capture loop variable for subtest
 					t.Run(p.ParserFunction, func(t *testing.T) {
 						require.NotEmpty(t, p.Capabilities, "parser must have at least one capability field defined")
@ -1120,7 +1117,6 @@ func TestCatalogerStructure(t *testing.T) {
 	require.NoError(t, err)
 	for _, c := range catalogerEntries {
 		c := c // capture loop variable for subtest
 		t.Run(c.Name, func(t *testing.T) {
 			// ecosystem must always be set (it's MANUAL)
--- a/internal/constants.go
+++ b/internal/constants.go
@ -3,12 +3,13 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.1.3"
+	JSONSchemaVersion = "16.1.4"
 	// Changelog
 	// 16.1.0 - reformulated the python pdm fields (added "URL" and removed the unused "path" field).
 	// 16.1.1 - correct elf package osCpe field according to the document of systemd (also add appCpe field)
 	// 16.1.2 - placeholder for 16.1.2 changelog
 	// 16.1.3 - add GGUFFileParts to GGUFFileHeader metadata
 	// 16.1.4 - add BunLockEntry metadata type for bun.lock support
 )
--- a/internal/file/copy.go
+++ b/internal/file/copy.go
@ -12,8 +12,20 @@ const perFileReadLimit = 2 * GB
 // protect against decompression bomb attacks.
 func safeCopy(writer io.Writer, reader io.Reader) error {
 	numBytes, err := io.Copy(writer, io.LimitReader(reader, perFileReadLimit))
-	if numBytes >= perFileReadLimit || errors.Is(err, io.EOF) {
+	if numBytes >= perFileReadLimit {
 		return fmt.Errorf("zip read limit hit (potential decompression bomb attack)")
 	}
 	// Propagate decompression / read errors up to the caller. io.Copy
 	// on the happy path returns (n, nil); the only way err is non-nil
 	// here is that the underlying reader surfaced a real failure
 	// ("flate: corrupt input before offset X" on a mangled ZIP entry,
 	// a network-backed reader erroring mid-stream, etc.). The previous
 	// implementation dropped that error and the caller stored a
 	// partial / empty buffer as a "successful" extract, which silently
 	// downgraded Java cataloger output and caused SBOM scanners to
 	// miss known CVEs (#4806).
 	if err != nil && !errors.Is(err, io.EOF) {
 		return fmt.Errorf("failed to read archive entry: %w", err)
 	}
 	return nil
 }
--- a/internal/file/copy_test.go
+++ b/internal/file/copy_test.go
@ -0,0 +1,64 @@
 package file
 import (
 	"bytes"
 	"errors"
 	"io"
 	"strings"
 	"testing"
 )
 // errReader returns a deterministic non-EOF error after emitting some
 // bytes, mimicking what compress/flate does when it hits a corrupt
 // stream mid-entry.
 type errReader struct {
 	data []byte
 	err  error
 	off  int
 }
 func (r *errReader) Read(p []byte) (int, error) {
 	if r.off >= len(r.data) {
 		return 0, r.err
 	}
 	n := copy(p, r.data[r.off:])
 	r.off += n
 	return n, nil
 }
 func TestSafeCopy(t *testing.T) {
 	t.Run("clean copy returns nil", func(t *testing.T) {
 		var buf bytes.Buffer
 		if err := safeCopy(&buf, strings.NewReader("hello")); err != nil {
 			t.Fatalf("unexpected error: %v", err)
 		}
 		if got := buf.String(); got != "hello" {
 			t.Fatalf("unexpected buffer contents: %q", got)
 		}
 	})
 	t.Run("propagates decompression error", func(t *testing.T) {
 		// #4806: safeCopy used to drop non-EOF errors, so the caller
 		// would persist a partial buffer as a successful extract and
 		// downstream catalogers silently read empty manifests.
 		sentinel := errors.New("flate: corrupt input before offset 42")
 		var buf bytes.Buffer
 		err := safeCopy(&buf, &errReader{data: []byte("partial"), err: sentinel})
 		if err == nil {
 			t.Fatalf("expected error to be returned, got nil")
 		}
 		if !errors.Is(err, sentinel) {
 			t.Fatalf("error does not wrap sentinel: %v", err)
 		}
 	})
 	t.Run("EOF is not treated as an error", func(t *testing.T) {
 		// The old code had a dead io.EOF branch that labelled clean
 		// reads as decompression bombs; keep the happy path clean.
 		var buf bytes.Buffer
 		err := safeCopy(&buf, io.LimitReader(strings.NewReader("abc"), 3))
 		if err != nil {
 			t.Fatalf("unexpected error on clean copy: %v", err)
 		}
 	})
 }
--- a/internal/file/getter_test.go
+++ b/internal/file/getter_test.go
@ -151,11 +151,11 @@ func TestGetter_GetToDir_CertConcerns(t *testing.T) {
 	}
 }
-func assertUnknownAuthorityError(t assert.TestingT, err error, _ ...interface{}) bool {
+func assertUnknownAuthorityError(t assert.TestingT, err error, _ ...any) bool {
 	return assert.ErrorAs(t, err, &x509.UnknownAuthorityError{})
 }
-func assertErrNonArchiveSource(t assert.TestingT, err error, _ ...interface{}) bool {
+func assertErrNonArchiveSource(t assert.TestingT, err error, _ ...any) bool {
 	return assert.ErrorIs(t, err, ErrNonArchiveSource)
 }
--- a/internal/file/squashfs.go
+++ b/internal/file/squashfs.go
@ -5,6 +5,7 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
 	"strings"
 	"github.com/diskfs/go-diskfs/filesystem"
 )
@ -14,8 +15,7 @@ type WalkDiskDirFunc func(fsys filesystem.FileSystem, path string, d os.FileInfo
 // WalkDiskDir walks the file tree within the go-diskfs filesystem at root, calling fn for each file or directory in the tree, including root.
 // This is meant to mimic the behavior of fs.WalkDir in the standard library.
 func WalkDiskDir(fsys filesystem.FileSystem, root string, fn WalkDiskDirFunc) error {
-	infos, err := fsys.ReadDir(root)
+	infos, err := readDiskDir(fsys, root)
 	if err != nil {
 		return err
 	}
@ -51,7 +51,7 @@ func walkDiskDir(fsys filesystem.FileSystem, name string, d os.FileInfo, walkDir
 	isDir := d != nil && d.IsDir()
 	if d == nil {
-		_, err := fsys.ReadDir(name)
+		_, err := readDiskDir(fsys, name)
 		if err != nil {
 			return nil
 		}
@ -62,7 +62,7 @@ func walkDiskDir(fsys filesystem.FileSystem, name string, d os.FileInfo, walkDir
 		return nil
 	}
-	dirs, err := fsys.ReadDir(name)
+	dirs, err := readDiskDir(fsys, name)
 	if err != nil {
 		err = walkDirFn(fsys, name, d, err)
 		if err != nil {
@ -87,3 +87,33 @@ func walkDiskDir(fsys filesystem.FileSystem, name string, d os.FileInfo, walkDir
 	}
 	return nil
 }
 // readDiskDir reads the directory entries at the given path from a go-diskfs filesystem.
 // go-diskfs returns fs.DirEntry values; these are resolved to os.FileInfo so callers have
 // access to the full file metadata (mode, size, modification time).
 func readDiskDir(fsys filesystem.FileSystem, p string) ([]os.FileInfo, error) {
 	entries, err := fsys.ReadDir(ToFSPath(p))
 	if err != nil {
 		return nil, err
 	}
 	infos := make([]os.FileInfo, 0, len(entries))
 	for _, entry := range entries {
 		info, err := entry.Info()
 		if err != nil {
 			return nil, err
 		}
 		infos = append(infos, info)
 	}
 	return infos, nil
 }
 // ToFSPath converts an absolute ("/"-rooted) path into an io/fs-valid path as required by
 // go-diskfs, where the root is "." and other paths carry no leading slash (see io/fs.ValidPath).
 func ToFSPath(p string) string {
 	p = strings.TrimPrefix(p, "/")
 	if p == "" {
 		return "."
 	}
 	return p
 }
--- a/internal/file/squashfs_test.go
+++ b/internal/file/squashfs_test.go
@ -43,10 +43,10 @@ func createTestFS(t *testing.T) filesystem.FileSystem {
 	for _, tf := range testFiles {
 		if tf.isDir {
-			err := fsys.Mkdir(tf.path)
+			err := fsys.Mkdir(ToFSPath(tf.path))
 			require.NoError(t, err)
 		} else {
-			f, err := fsys.OpenFile(tf.path, os.O_CREATE|os.O_RDWR)
+			f, err := fsys.OpenFile(ToFSPath(tf.path), os.O_CREATE|os.O_RDWR)
 			require.NoError(t, err)
 			_, err = f.Write([]byte(tf.content))
 			require.NoError(t, err)
--- a/internal/file/zip_file_manifest_test.go
+++ b/internal/file/zip_file_manifest_test.go
@ -1,5 +1,4 @@
 //go:build !windows
 // +build !windows
 package file
--- a/internal/file/zip_file_traversal_test.go
+++ b/internal/file/zip_file_traversal_test.go
@ -1,5 +1,4 @@
 //go:build !windows
 // +build !windows
 package file
@ -242,8 +241,8 @@ func assertZipSourceFixtureContents(t testing.TB, actual map[string]string, expe
 }
 // looks like there isn't a helper for this yet? https://github.com/stretchr/testify/issues/497
-func assertErrorAs(expectedErr interface{}) assert.ErrorAssertionFunc {
+func assertErrorAs(expectedErr any) assert.ErrorAssertionFunc {
-	return func(t assert.TestingT, actualErr error, i ...interface{}) bool {
+	return func(t assert.TestingT, actualErr error, i ...any) bool {
 		return errors.As(actualErr, &expectedErr)
 	}
 }
--- a/internal/jsonschema/comments_test.go
+++ b/internal/jsonschema/comments_test.go
@ -6,9 +6,9 @@ import (
 	"testing"
 	"github.com/invopop/jsonschema"
 	orderedmap "github.com/pb33f/ordered-map/v2"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	orderedmap "github.com/wk8/go-ordered-map/v2"
 )
 // TestCopyAliasFieldComments verifies that field comments from source types are correctly copied to alias types.
--- a/internal/jsonschema/main.go
+++ b/internal/jsonschema/main.go
@ -143,7 +143,7 @@ func build() *jsonschema.Schema {
 	// srcMetadataContainer := assembleTypeContainer(sourcemetadata.AllTypes())
 	// srcMetadataContainerType := reflect.TypeOf(srcMetadataContainer)
-	documentSchema := reflector.ReflectFromType(reflect.TypeOf(&syftJsonModel.Document{}))
+	documentSchema := reflector.ReflectFromType(reflect.TypeFor[*syftJsonModel.Document]())
 	pkgMetadataSchema := reflector.ReflectFromType(reflect.TypeOf(pkgMetadataContainer))
 	// srcMetadataSchema := reflector.ReflectFromType(reflect.TypeOf(srcMetadataContainer))
--- a/internal/log/log.go
+++ b/internal/log/log.go
@ -30,61 +30,61 @@ func Get() logger.Logger {
 }
 // Errorf takes a formatted template string and template arguments for the error logging level.
-func Errorf(format string, args ...interface{}) {
+func Errorf(format string, args ...any) {
 	log.Errorf(format, args...)
 }
 // Error logs the given arguments at the error logging level.
-func Error(args ...interface{}) {
+func Error(args ...any) {
 	log.Error(args...)
 }
 // Warnf takes a formatted template string and template arguments for the warning logging level.
-func Warnf(format string, args ...interface{}) {
+func Warnf(format string, args ...any) {
 	log.Warnf(format, args...)
 }
 // Warn logs the given arguments at the warning logging level.
-func Warn(args ...interface{}) {
+func Warn(args ...any) {
 	log.Warn(args...)
 }
 // Infof takes a formatted template string and template arguments for the info logging level.
-func Infof(format string, args ...interface{}) {
+func Infof(format string, args ...any) {
 	log.Infof(format, args...)
 }
 // Info logs the given arguments at the info logging level.
-func Info(args ...interface{}) {
+func Info(args ...any) {
 	log.Info(args...)
 }
 // Debugf takes a formatted template string and template arguments for the debug logging level.
-func Debugf(format string, args ...interface{}) {
+func Debugf(format string, args ...any) {
 	log.Debugf(format, args...)
 }
 // Debug logs the given arguments at the debug logging level.
-func Debug(args ...interface{}) {
+func Debug(args ...any) {
 	log.Debug(args...)
 }
 // Tracef takes a formatted template string and template arguments for the trace logging level.
-func Tracef(format string, args ...interface{}) {
+func Tracef(format string, args ...any) {
 	log.Tracef(format, args...)
 }
 // Trace logs the given arguments at the trace logging level.
-func Trace(args ...interface{}) {
+func Trace(args ...any) {
 	log.Trace(args...)
 }
 // WithFields returns a message logger with multiple key-value fields.
-func WithFields(fields ...interface{}) logger.MessageLogger {
+func WithFields(fields ...any) logger.MessageLogger {
 	return log.WithFields(fields...)
 }
 // Nested returns a new logger with hard coded key-value pairs
-func Nested(fields ...interface{}) logger.Logger {
+func Nested(fields ...any) logger.Logger {
 	return log.Nested(fields...)
 }
--- a/internal/packagemetadata/generated.go
+++ b/internal/packagemetadata/generated.go
@ -11,6 +11,7 @@ func AllTypes() []any {
 		pkg.ApkDBEntry{},
 		pkg.BinarySignature{},
 		pkg.BitnamiSBOMEntry{},
 		pkg.BunLockEntry{},
 		pkg.CocoaPodfileLockEntry{},
 		pkg.ConanV1LockEntry{},
 		pkg.ConanV2LockEntry{},
--- a/internal/packagemetadata/names.go
+++ b/internal/packagemetadata/names.go
@ -96,6 +96,7 @@ var jsonTypes = makeJSONTypes(
 	jsonNames(pkg.NpmPackageLockEntry{}, "javascript-npm-package-lock-entry", "NpmPackageLockJsonMetadata"),
 	jsonNames(pkg.YarnLockEntry{}, "javascript-yarn-lock-entry", "YarnLockJsonMetadata"),
 	jsonNames(pkg.PnpmLockEntry{}, "javascript-pnpm-lock-entry"),
 	jsonNames(pkg.BunLockEntry{}, "javascript-bun-lock-entry"),
 	jsonNames(pkg.PEBinary{}, "pe-binary"),
 	jsonNames(pkg.PhpComposerLockEntry{}, "php-composer-lock-entry", "PhpComposerJsonMetadata"),
 	jsonNamesWithoutLookup(pkg.PhpComposerInstalledEntry{}, "php-composer-installed-entry", "PhpComposerJsonMetadata"), // the legacy value is split into two types, where the other is preferred
--- a/internal/packagemetadata/names_test.go
+++ b/internal/packagemetadata/names_test.go
@ -40,28 +40,28 @@ func TestReflectTypeFromJSONName(t *testing.T) {
 		{
 			name:       "exact match on ID",
 			lookup:     "rust-cargo-lock-entry",
-			wantRecord: reflect.TypeOf(pkg.RustCargoLockEntry{}),
+			wantRecord: reflect.TypeFor[pkg.RustCargoLockEntry](),
 		},
 		{
 			name:       "exact match on former name",
 			lookup:     "RustCargoPackageMetadata",
-			wantRecord: reflect.TypeOf(pkg.RustCargoLockEntry{}),
+			wantRecord: reflect.TypeFor[pkg.RustCargoLockEntry](),
 		},
 		{
 			name:       "case insensitive on ID",
 			lookup:     "RUST-CARGO-lock-entrY",
-			wantRecord: reflect.TypeOf(pkg.RustCargoLockEntry{}),
+			wantRecord: reflect.TypeFor[pkg.RustCargoLockEntry](),
 		},
 		{
 			name:       "case insensitive on alias",
 			lookup:     "rusTcArgopacKagEmEtadATa",
-			wantRecord: reflect.TypeOf(pkg.RustCargoLockEntry{}),
+			wantRecord: reflect.TypeFor[pkg.RustCargoLockEntry](),
 		},
 		{
 			name: "consistent override",
 			// there are two correct answers for this -- we should always get the same answer.
 			lookup:     "HackageMetadataType",
-			wantRecord: reflect.TypeOf(pkg.HackageStackYamlLockEntry{}),
+			wantRecord: reflect.TypeFor[pkg.HackageStackYamlLockEntry](),
 		},
 	}
 	for _, tt := range tests {
@ -83,142 +83,142 @@ func TestReflectTypeFromJSONName_LegacyValues(t *testing.T) {
 		{
 			name:     "map pkg.AlpmDBEntry struct type",
 			input:    "AlpmMetadata",
-			expected: reflect.TypeOf(pkg.AlpmDBEntry{}),
+			expected: reflect.TypeFor[pkg.AlpmDBEntry](),
 		},
 		{
 			name:     "map pkg.ApkDBEntry struct type",
 			input:    "ApkMetadata",
-			expected: reflect.TypeOf(pkg.ApkDBEntry{}),
+			expected: reflect.TypeFor[pkg.ApkDBEntry](),
 		},
 		{
 			name:     "map pkg.BinarySignature struct type",
 			input:    "BinaryMetadata",
-			expected: reflect.TypeOf(pkg.BinarySignature{}),
+			expected: reflect.TypeFor[pkg.BinarySignature](),
 		},
 		{
 			name:     "map pkg.CocoaPodfileLockEntry struct type",
 			input:    "CocoapodsMetadataType",
-			expected: reflect.TypeOf(pkg.CocoaPodfileLockEntry{}),
+			expected: reflect.TypeFor[pkg.CocoaPodfileLockEntry](),
 		},
 		{
 			name:     "map pkg.ConanLockEntry struct type",
 			input:    "ConanLockMetadataType",
-			expected: reflect.TypeOf(pkg.ConanV1LockEntry{}),
+			expected: reflect.TypeFor[pkg.ConanV1LockEntry](),
 		},
 		{
 			name:     "map pkg.ConanfileEntry struct type",
 			input:    "ConanMetadataType",
-			expected: reflect.TypeOf(pkg.ConanfileEntry{}),
+			expected: reflect.TypeFor[pkg.ConanfileEntry](),
 		},
 		{
 			name:     "map pkg.DartPubspecLockEntry struct type",
 			input:    "DartPubMetadata",
-			expected: reflect.TypeOf(pkg.DartPubspecLockEntry{}),
+			expected: reflect.TypeFor[pkg.DartPubspecLockEntry](),
 		},
 		{
 			name:     "map pkg.DotnetDepsEntry struct type",
 			input:    "DotnetDepsMetadata",
-			expected: reflect.TypeOf(pkg.DotnetDepsEntry{}),
+			expected: reflect.TypeFor[pkg.DotnetDepsEntry](),
 		},
 		{
 			name:     "map pkg.DpkgDBEntry struct type",
 			input:    "DpkgMetadata",
-			expected: reflect.TypeOf(pkg.DpkgDBEntry{}),
+			expected: reflect.TypeFor[pkg.DpkgDBEntry](),
 		},
 		{
 			name:     "map pkg.RubyGemspec struct type",
 			input:    "GemMetadata",
-			expected: reflect.TypeOf(pkg.RubyGemspec{}),
+			expected: reflect.TypeFor[pkg.RubyGemspec](),
 		},
 		{
 			name:     "map pkg.GolangBinaryBuildinfoEntry struct type",
 			input:    "GolangBinMetadata",
-			expected: reflect.TypeOf(pkg.GolangBinaryBuildinfoEntry{}),
+			expected: reflect.TypeFor[pkg.GolangBinaryBuildinfoEntry](),
 		},
 		{
 			name:     "map pkg.GolangModuleEntry struct type",
 			input:    "GolangModMetadata",
-			expected: reflect.TypeOf(pkg.GolangModuleEntry{}),
+			expected: reflect.TypeFor[pkg.GolangModuleEntry](),
 		},
 		{
 			name:     "map pkg.JavaArchive struct type",
 			input:    "JavaMetadata",
-			expected: reflect.TypeOf(pkg.JavaArchive{}),
+			expected: reflect.TypeFor[pkg.JavaArchive](),
 		},
 		{
 			name:     "map pkg.MicrosoftKbPatch struct type",
 			input:    "KbPatchMetadata",
-			expected: reflect.TypeOf(pkg.MicrosoftKbPatch{}),
+			expected: reflect.TypeFor[pkg.MicrosoftKbPatch](),
 		},
 		{
 			name:     "map pkg.LinuxKernel struct type",
 			input:    "LinuxKernel",
-			expected: reflect.TypeOf(pkg.LinuxKernel{}),
+			expected: reflect.TypeFor[pkg.LinuxKernel](),
 		},
 		{
 			name:     "map pkg.LinuxKernelModule struct type",
 			input:    "LinuxKernelModule",
-			expected: reflect.TypeOf(pkg.LinuxKernelModule{}),
+			expected: reflect.TypeFor[pkg.LinuxKernelModule](),
 		},
 		{
 			name:     "map pkg.ElixirMixLockEntry struct type",
 			input:    "MixLockMetadataType",
-			expected: reflect.TypeOf(pkg.ElixirMixLockEntry{}),
+			expected: reflect.TypeFor[pkg.ElixirMixLockEntry](),
 		},
 		{
 			name:     "map pkg.NixStoreEntry struct type",
 			input:    "NixStoreMetadata",
-			expected: reflect.TypeOf(pkg.NixStoreEntry{}),
+			expected: reflect.TypeFor[pkg.NixStoreEntry](),
 		},
 		{
 			name:     "map pkg.NpmPackage struct type",
 			input:    "NpmPackageJsonMetadata",
-			expected: reflect.TypeOf(pkg.NpmPackage{}),
+			expected: reflect.TypeFor[pkg.NpmPackage](),
 		},
 		{
 			name:     "map pkg.NpmPackageLockEntry struct type",
 			input:    "NpmPackageLockJsonMetadata",
-			expected: reflect.TypeOf(pkg.NpmPackageLockEntry{}),
+			expected: reflect.TypeFor[pkg.NpmPackageLockEntry](),
 		},
 		{
 			name:     "map pkg.PortageEntry struct type",
 			input:    "PortageMetadata",
-			expected: reflect.TypeOf(pkg.PortageEntry{}),
+			expected: reflect.TypeFor[pkg.PortageEntry](),
 		},
 		{
 			name:     "map pkg.PythonPackage struct type",
 			input:    "PythonPackageMetadata",
-			expected: reflect.TypeOf(pkg.PythonPackage{}),
+			expected: reflect.TypeFor[pkg.PythonPackage](),
 		},
 		{
 			name:     "map pkg.PythonPipfileLockEntry struct type",
 			input:    "PythonPipfileLockMetadata",
-			expected: reflect.TypeOf(pkg.PythonPipfileLockEntry{}),
+			expected: reflect.TypeFor[pkg.PythonPipfileLockEntry](),
 		},
 		{
 			name:     "map pkg.PythonRequirementsEntry struct type",
 			input:    "PythonRequirementsMetadata",
-			expected: reflect.TypeOf(pkg.PythonRequirementsEntry{}),
+			expected: reflect.TypeFor[pkg.PythonRequirementsEntry](),
 		},
 		{
 			name:     "map pkg.PhpPeclEntry struct type",
 			input:    "PhpPeclMetadata",
-			expected: reflect.TypeOf(pkg.PhpPeclEntry{}),
+			expected: reflect.TypeFor[pkg.PhpPeclEntry](),
 		},
 		{
 			name:     "map pkg.ErlangRebarLockEntry struct type",
 			input:    "RebarLockMetadataType",
-			expected: reflect.TypeOf(pkg.ErlangRebarLockEntry{}),
+			expected: reflect.TypeFor[pkg.ErlangRebarLockEntry](),
 		},
 		{
 			name:     "map pkg.RDescription struct type",
 			input:    "RDescriptionFileMetadataType",
-			expected: reflect.TypeOf(pkg.RDescription{}),
+			expected: reflect.TypeFor[pkg.RDescription](),
 		},
 		{
 			name:     "map pkg.RpmDBEntry struct type",
 			input:    "RpmdbMetadata",
-			expected: reflect.TypeOf(pkg.RpmDBEntry{}),
+			expected: reflect.TypeFor[pkg.RpmDBEntry](),
 		},
 		// these cases are 1:many
 		{
@ -228,28 +228,28 @@ func TestReflectTypeFromJSONName_LegacyValues(t *testing.T) {
 			// from a data-shape perspective either would be equally correct
 			// however, the RPMDBMetadata has been around longer and may have been more widely used
 			// so we'll map to that type for backwards compatibility.
-			expected: reflect.TypeOf(pkg.RpmDBEntry{}),
+			expected: reflect.TypeFor[pkg.RpmDBEntry](),
 		},
 		{
 			name:  "map pkg.HackageStackYamlLockEntry struct type - overlap with HackageStack*Metadata",
 			input: "HackageMetadataType",
 			// this used to be shared as a use case for both HackageStackYamlLockEntry and HackageStackYamlEntry
 			// but the HackageStackYamlLockEntry maps most closely to the original data shape.
-			expected: reflect.TypeOf(pkg.HackageStackYamlLockEntry{}),
+			expected: reflect.TypeFor[pkg.HackageStackYamlLockEntry](),
 		},
 		{
 			name:  "map pkg.PhpComposerLockEntry struct type",
 			input: "PhpComposerJsonMetadata",
 			// this used to be shared as a use case for both PhpComposerLockEntry and PhpComposerInstalledEntry
 			// neither of these is more correct over the other. These parsers were also introduced at the same time.
-			expected: reflect.TypeOf(pkg.PhpComposerLockEntry{}),
+			expected: reflect.TypeFor[pkg.PhpComposerLockEntry](),
 		},
 		{
 			name:  "map pkg.RustCargoLockEntry struct type",
 			input: "RustCargoPackageMetadata",
 			// this used to be shared as a use case for both RustCargoLockEntry and RustBinaryAuditEntry
 			// neither of these is more correct over the other.
-			expected: reflect.TypeOf(pkg.RustCargoLockEntry{}),
+			expected: reflect.TypeFor[pkg.RustCargoLockEntry](),
 		},
 	}
--- a/internal/regex_helpers.go
+++ b/internal/regex_helpers.go
@ -92,10 +92,7 @@ func processReaderInChunks(rdr io.Reader, chunkSize int, handler func(data []byt
 	lastRead := 0
 	for {
-		offset := half
+		offset := min(lastRead, half)
 		if lastRead < half {
 			offset = lastRead
 		}
 		start := half - offset
 		if lastRead > 0 {
 			copy(buf[start:], buf[half+offset:half+lastRead])
--- a/internal/relationship/exclude_binaries_by_file_ownership_overlap.go
+++ b/internal/relationship/exclude_binaries_by_file_ownership_overlap.go
@ -26,9 +26,9 @@ var (
 		pkg.BitnamiPkg,
 	}
 	binaryMetadataTypes = []string{
-		reflect.TypeOf(pkg.ELFBinaryPackageNoteJSONPayload{}).Name(),
+		reflect.TypeFor[pkg.ELFBinaryPackageNoteJSONPayload]().Name(),
-		reflect.TypeOf(pkg.BinarySignature{}).Name(),
+		reflect.TypeFor[pkg.BinarySignature]().Name(),
-		reflect.TypeOf(pkg.JavaVMInstallation{}).Name(),
+		reflect.TypeFor[pkg.JavaVMInstallation]().Name(),
 	}
 )
--- a/internal/relationship/exclude_binaries_by_file_ownership_overlap_test.go
+++ b/internal/relationship/exclude_binaries_by_file_ownership_overlap_test.go
@ -15,7 +15,6 @@ func TestExcludeByFileOwnershipOverlap(t *testing.T) {
 	packageC := pkg.Package{Name: "package-c", Type: pkg.BinaryPkg, Metadata: pkg.ELFBinaryPackageNoteJSONPayload{Type: "rpm"}}
 	packageD := pkg.Package{Name: "package-d", Type: pkg.BitnamiPkg}
 	for _, p := range []*pkg.Package{&packageA, &packageB, &packageC, &packageD} {
 		p := p
 		p.SetID()
 	}
--- a/internal/sourcemetadata/names.go
+++ b/internal/sourcemetadata/names.go
@ -8,11 +8,11 @@ import (
 )
 var jsonNameFromType = map[reflect.Type][]string{
-	reflect.TypeOf(source.DirectoryMetadata{}): {"directory", "dir"},
+	reflect.TypeFor[source.DirectoryMetadata](): {"directory", "dir"},
-	reflect.TypeOf(source.FileMetadata{}):      {"file"},
+	reflect.TypeFor[source.FileMetadata]():      {"file"},
-	reflect.TypeOf(source.ImageMetadata{}):     {"image"},
+	reflect.TypeFor[source.ImageMetadata]():     {"image"},
-	reflect.TypeOf(source.SnapMetadata{}):      {"snap"},
+	reflect.TypeFor[source.SnapMetadata]():      {"snap"},
-	reflect.TypeOf(source.OCIModelMetadata{}):  {"oci-model"},
+	reflect.TypeFor[source.OCIModelMetadata]():  {"oci-model"},
 }
 func AllTypeNames() []string {
--- a/internal/string_helpers.go
+++ b/internal/string_helpers.go
@ -1,6 +1,9 @@
 package internal
-import "strings"
+import (
 	"slices"
 	"strings"
 )
 // HasAnyOfPrefixes returns an indication if the given string has any of the given prefixes.
 func HasAnyOfPrefixes(input string, prefixes ...string) bool {
@ -32,12 +35,7 @@ func TruncateMiddleEllipsis(input string, maxLen int) string {
 }
 func StringInSlice(a string, list []string) bool {
-	for _, b := range list {
+	return slices.Contains(list, a)
 		if b == a {
 			return true
 		}
 	}
 	return false
 }
 func SplitAny(s string, seps string) []string {
--- a/internal/task/package_tasks.go
+++ b/internal/task/package_tasks.go
@ -161,7 +161,7 @@ func DefaultPackageTaskFactories() Factories {
 			pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "binary",
 		),
 		newSimplePackageTaskFactory(binary.NewELFPackageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "binary", "elf-package", "elf"),
-		newSimplePackageTaskFactory(binary.NewPEPackageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "binary", "pe-package", "pe", "dll", "exe"),
+		newSimplePackageTaskFactory(binary.NewPEPackageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "binary", "pe-package", "pe", "dll", "exe", "bpl"),
 		newSimplePackageTaskFactory(githubactions.NewActionUsageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, "github", "github-actions"),
 		newSimplePackageTaskFactory(githubactions.NewWorkflowUsageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, "github", "github-actions"),
 		newSimplePackageTaskFactory(java.NewJvmDistributionCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "java", "jvm", "jdk", "jre"),
--- a/internal/tmpdir/tmpdir_test.go
+++ b/internal/tmpdir/tmpdir_test.go
@ -198,7 +198,7 @@ func TestConcurrentNewChildAndNewFile(t *testing.T) {
 	errs := make(chan error, goroutines)
 	paths := make(chan string, goroutines)
-	for i := 0; i < goroutines; i++ {
+	for i := range goroutines {
 		go func(i int) {
 			if i%2 == 0 {
 				child, cleanup, err := td.NewChild("concurrent")
@ -223,7 +223,7 @@ func TestConcurrentNewChildAndNewFile(t *testing.T) {
 	}
 	seen := make(map[string]bool)
-	for i := 0; i < goroutines; i++ {
+	for range goroutines {
 		err := <-errs
 		require.NoError(t, err)
 	}
@ -250,7 +250,7 @@ func TestConcurrentNewChildDuringCleanup(t *testing.T) {
 		close(done)
 	}()
 	// try creating children concurrently with cleanup — should get errors, not panics
-	for i := 0; i < 10; i++ {
+	for range 10 {
 		_, c, _ := td.NewChild("race")
 		if c != nil {
 			c()
--- a/internal/tprint.go
+++ b/internal/tprint.go
@ -6,7 +6,7 @@ import (
 )
 // Tprintf renders a string from a given template string and field values
-func Tprintf(tmpl string, data map[string]interface{}) string {
+func Tprintf(tmpl string, data map[string]any) string {
 	t := template.Must(template.New("").Parse(tmpl))
 	buf := &bytes.Buffer{}
 	if err := t.Execute(buf, data); err != nil {
--- a/internal/unknown/coordinate_error.go
+++ b/internal/unknown/coordinate_error.go
@ -3,6 +3,7 @@ package unknown
 import (
 	"errors"
 	"fmt"
 	"slices"
 	"strings"
 	"github.com/anchore/syft/internal/log"
@ -155,12 +156,7 @@ func containsErr(out []error, err error) bool {
 			log.Tracef("error comparing errors: %v", err)
 		}
 	}()
-	for _, e := range out {
+	return slices.Contains(out, err)
 		if e == err {
 			return true
 		}
 	}
 	return false
 }
 // visitErrors visits every wrapped error. the returned error replaces the provided error, null errors are omitted from
--- a/schema/cyclonedx/cyclonedx.json
+++ b/schema/cyclonedx/cyclonedx.json
@ -5132,6 +5132,7 @@
                "armv9-a",
                "armv9-m",
                "s390x",
                "riscv64",
                "ppc64",
                "ppc64le",
                "other",
--- a/schema/cyclonedx/cyclonedx.xsd
+++ b/schema/cyclonedx/cyclonedx.xsd
@ -6471,6 +6471,7 @@ limitations under the License.
                                    <xs:enumeration value="armv9-a"/>
                                    <xs:enumeration value="armv9-m"/>
                                    <xs:enumeration value="s390x"/>
                                    <xs:enumeration value="riscv64"/>
                                    <xs:enumeration value="ppc64"/>
                                    <xs:enumeration value="ppc64le"/>
                                    <xs:enumeration value="other"/>
--- a/schema/json/schema-16.1.4.json
+++ b/schema/json/schema-16.1.4.json
--- a/schema/json/schema-latest.json
+++ b/schema/json/schema-latest.json
@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "anchore.io/schema/syft/json/16.1.3/document",
+  "$id": "anchore.io/schema/syft/json/16.1.4/document",
  "$ref": "#/$defs/Document",
  "$defs": {
    "AlpmDbEntry": {
@ -1918,6 +1918,61 @@
      "type": "object",
      "description": "JavaVMRelease represents JVM version and build information extracted from the release file in a Java installation."
    },
    "JavascriptBunLockEntry": {
      "properties": {
        "integrity": {
          "type": "string",
          "description": "Integrity is Subresource Integrity hash for verification (SRI format)"
        },
        "dependencies": {
          "additionalProperties": {
            "type": "string"
          },
          "type": "object",
          "description": "Dependencies is a map of runtime dependencies and their version specifiers"
        },
        "optionalDependencies": {
          "additionalProperties": {
            "type": "string"
          },
          "type": "object",
          "description": "OptionalDependencies is a map of optional dependencies and their version specifiers"
        },
        "peerDependencies": {
          "additionalProperties": {
            "type": "string"
          },
          "type": "object",
          "description": "PeerDependencies is a map of peer dependencies and their version specifiers"
        },
        "bin": {
          "additionalProperties": {
            "type": "string"
          },
          "type": "object",
          "description": "Bin is a map of binary names to the paths they are installed to"
        },
        "os": {
          "type": "string",
          "description": "OS is the operating system constraint for the package (e.g. \"darwin\")"
        },
        "cpu": {
          "type": "string",
          "description": "CPU is the CPU architecture constraint for the package (e.g. \"arm64\")"
        }
      },
      "type": "object",
      "required": [
        "integrity",
        "dependencies",
        "optionalDependencies",
        "peerDependencies",
        "bin",
        "os",
        "cpu"
      ],
      "description": "BunLockEntry represents a single entry in the \"packages\" section of a bun.lock file"
    },
    "JavascriptNpmPackage": {
      "properties": {
        "name": {
@ -2657,6 +2712,9 @@
            {
              "$ref": "#/$defs/JavaJvmInstallation"
            },
            {
              "$ref": "#/$defs/JavascriptBunLockEntry"
            },
            {
              "$ref": "#/$defs/JavascriptNpmPackage"
            },
--- a/syft/artifact/id.go
+++ b/syft/artifact/id.go
@ -13,7 +13,7 @@ type Identifiable interface {
 	ID() ID
 }
-func IDByHash(obj interface{}) (ID, error) {
+func IDByHash(obj any) (ID, error) {
 	f, err := hashstructure.Hash(obj, &hashstructure.HashOptions{
 		ZeroNil:      true,
 		SlicesAsSets: true,
--- a/syft/artifact/relationship.go
+++ b/syft/artifact/relationship.go
@ -38,5 +38,5 @@ type Relationship struct {
 	From Identifiable
 	To   Identifiable
 	Type RelationshipType
-	Data interface{}
+	Data any
 }
--- a/syft/configuration_audit_trail.go
+++ b/syft/configuration_audit_trail.go
@ -41,7 +41,7 @@ func (cfg configurationAuditTrail) MarshalJSON() ([]byte, error) {
 		return nil, err
 	}
-	var dataMap map[string]interface{}
+	var dataMap map[string]any
 	if err := json.Unmarshal(initialJSON, &dataMap); err != nil {
 		return nil, err
 	}
@ -55,13 +55,13 @@ func (cfg configurationAuditTrail) MarshalJSON() ([]byte, error) {
 }
 // marshalSorted recursively marshals a map with sorted keys
-func marshalSorted(m interface{}) ([]byte, error) {
+func marshalSorted(m any) ([]byte, error) {
 	if reflect.TypeOf(m).Kind() != reflect.Map {
 		return json.Marshal(m)
 	}
 	val := reflect.ValueOf(m)
-	sortedMap := make(map[string]interface{})
+	sortedMap := make(map[string]any)
 	for _, key := range val.MapKeys() {
 		value := val.MapIndex(key).Interface()
--- a/syft/configuration_audit_trail_test.go
+++ b/syft/configuration_audit_trail_test.go
@ -33,7 +33,7 @@ func Test_configurationAuditTrail_StructTags(t *testing.T) {
 }
-func getJSONTags(t *testing.T, v interface{}) []string {
+func getJSONTags(t *testing.T, v any) []string {
 	var tags []string
 	err := collectJSONTags(t, reflect.ValueOf(v), &tags, "", "")
 	require.NoError(t, err)
@ -142,7 +142,7 @@ func Test_collectJSONTags(t *testing.T) {
 	tests := []struct {
 		name    string
-		v       interface{}
+		v       any
 		want    []string
 		wantErr require.ErrorAssertionFunc
 	}{
--- a/syft/create_sbom_config.go
+++ b/syft/create_sbom_config.go
@ -34,7 +34,7 @@ type CreateSBOMConfig struct {
 	// audit what tool is being used to generate the SBOM
 	ToolName          string
 	ToolVersion       string
-	ToolConfiguration interface{}
+	ToolConfiguration any
 	packageTaskFactories       task.Factories
 	packageCatalogerReferences []pkgcataloging.CatalogerReference
--- a/syft/event/parsers/parsers.go
+++ b/syft/event/parsers/parsers.go
@ -17,14 +17,14 @@ import (
 type ErrBadPayload struct {
 	Type  partybus.EventType
 	Field string
-	Value interface{}
+	Value any
 }
 func (e *ErrBadPayload) Error() string {
 	return fmt.Sprintf("event='%s' has bad event payload field=%q: %q", string(e.Type), e.Field, e.Value)
 }
-func newPayloadErr(t partybus.EventType, field string, value interface{}) error {
+func newPayloadErr(t partybus.EventType, field string, value any) error {
 	return &ErrBadPayload{
 		Type:  t,
 		Field: field,
--- a/syft/file/cataloger/executable/testdata/elf/Makefile
+++ b/syft/file/cataloger/executable/testdata/elf/Makefile
@ -15,14 +15,18 @@ fixtures: build verify
 # requirement 2: 'fingerprint' goal to determine if the fixture input that indicates any existing cache should be busted
 fingerprint: $(FINGERPRINT_FILE)
 tools-check:
 	@sha256sum -c Dockerfile.sha256 || (echo "Tools Dockerfile has changed" && exit 1)
 # for selfrando...
 # docker buildx build --platform linux/amd64 -t $(TOOL_IMAGE) .
 tools:
-	@(docker image inspect $(TOOL_IMAGE) > /dev/null 2>&1 && make tools-check) || (docker build -t $(TOOL_IMAGE) . && sha256sum Dockerfile > Dockerfile.sha256)
+	@if docker image inspect $(TOOL_IMAGE) > /dev/null 2>&1 \
 	   && test -f Dockerfile.sha256 \
 	   && sha256sum --quiet -c Dockerfile.sha256 2>/dev/null; then \
 	  : ; \
 	else \
 	  docker build -t $(TOOL_IMAGE) . \
 	  && sha256sum Dockerfile > Dockerfile.sha256; \
 	fi
 build: tools
 	mkdir -p $(BIN)
@ -46,4 +50,4 @@ $(FINGERPRINT_FILE):
 clean:
 	rm -rf $(BIN) Dockerfile.sha256 $(VERIFY_FILE) $(FINGERPRINT_FILE)
-.PHONY: tools tools-check build verify debug clean
+.PHONY: tools build verify debug clean
--- a/syft/file/cataloger/executable/testdata/shared-info/Makefile
+++ b/syft/file/cataloger/executable/testdata/shared-info/Makefile
@ -15,11 +15,15 @@ fixtures: build
 # requirement 2: 'fingerprint' goal to determine if the fixture input that indicates any existing cache should be busted
 fingerprint: $(FINGERPRINT_FILE)
 tools-check:
 	@sha256sum -c Dockerfile.sha256 || (echo "Tools Dockerfile has changed" && exit 1)
 tools:
-	@(docker image inspect $(TOOL_IMAGE) > /dev/null 2>&1 && make tools-check) || (docker build --platform linux/amd64 -t $(TOOL_IMAGE) . && sha256sum Dockerfile > Dockerfile.sha256)
+	@if docker image inspect $(TOOL_IMAGE) > /dev/null 2>&1 \
 	   && test -f Dockerfile.sha256 \
 	   && sha256sum --quiet -c Dockerfile.sha256 2>/dev/null; then \
 	  : ; \
 	else \
 	  docker build --platform linux/amd64 -t $(TOOL_IMAGE) . \
 	  && sha256sum Dockerfile > Dockerfile.sha256; \
 	fi
 build: tools
 	@mkdir -p $(BIN)
@ -38,4 +42,4 @@ $(FINGERPRINT_FILE):
 clean:
 	rm -rf $(BIN) Dockerfile.sha256 $(VERIFY_FILE) $(FINGERPRINT_FILE)
-.PHONY: tools tools-check build debug clean
+.PHONY: tools build debug clean
--- a/syft/file/search_result.go
+++ b/syft/file/search_result.go
@ -26,5 +26,5 @@ type SearchResult struct {
 }
 func (s SearchResult) String() string {
-	return fmt.Sprintf("SearchResult(classification=%q seek=%q length=%q)", s.Classification, s.SeekPosition, s.Length)
+	return fmt.Sprintf("SearchResult(classification=%q seek=%d length=%d)", s.Classification, s.SeekPosition, s.Length)
 }
--- a/syft/format/common/spdxhelpers/to_format_model.go
+++ b/syft/format/common/spdxhelpers/to_format_model.go
@ -310,9 +310,9 @@ func toRootPackage(s source.Description) *spdx.Package {
 func toSPDXID(identifiable artifact.Identifiable) spdx.ElementID {
 	id := string(identifiable.ID())
-	if strings.HasPrefix(id, "SPDXRef-") {
+	if after, ok := strings.CutPrefix(id, "SPDXRef-"); ok {
 		// this is already an SPDX ID, no need to change it (except for the prefix)
-		return spdx.ElementID(helpers.SanitizeElementID(strings.TrimPrefix(id, "SPDXRef-")))
+		return spdx.ElementID(helpers.SanitizeElementID(after))
 	}
 	maxLen := 40
 	switch it := identifiable.(type) {
--- a/syft/format/common/spdxhelpers/to_syft_model.go
+++ b/syft/format/common/spdxhelpers/to_syft_model.go
@ -479,7 +479,7 @@ func toSyftLocation(f *spdx.File) file.Location {
 	return l
 }
-func requireAndTrimPrefix(val interface{}, prefix string) string {
+func requireAndTrimPrefix(val any, prefix string) string {
 	if v, ok := val.(string); ok {
 		if i := strings.Index(v, prefix); i == 0 {
 			return strings.Replace(v, prefix, "", 1)
--- a/syft/format/common/spdxhelpers/to_syft_model_test.go
+++ b/syft/format/common/spdxhelpers/to_syft_model_test.go
@ -119,7 +119,7 @@ func Test_extractMetadata(t *testing.T) {
 	oneTwoThreeFour := 1234
 	tests := []struct {
 		pkg  spdx.Package
-		meta interface{}
+		meta any
 	}{
 		{
 			pkg: spdx.Package{
--- a/syft/format/github/internal/model/github_dependency_api.go
+++ b/syft/format/github/internal/model/github_dependency_api.go
@ -73,6 +73,6 @@ type DependencyGraph map[string]DependencyNode
 type ISO8601Date = string
-type Scalar interface{} // should be: null | boolean | string | number
+type Scalar any // should be: null | boolean | string | number
 type Metadata map[string]Scalar
--- a/syft/format/internal/backfill.go
+++ b/syft/format/internal/backfill.go
@ -151,13 +151,13 @@ var epochPrefix = regexp.MustCompile(`^\d+:`)
 // nameFromPurl returns the syft package name of the package from the purl. If the purl includes a namespace,
 // the name is prefixed as appropriate based on the PURL type
 func nameFromPurl(purl packageurl.PackageURL) string {
-	if !nameExcludesPurlNamespace(purl.Type) && purl.Namespace != "" {
+	if !NameExcludesPurlNamespace(purl.Type) && purl.Namespace != "" {
 		return fmt.Sprintf("%s/%s", purl.Namespace, purl.Name)
 	}
 	return purl.Name
 }
-func nameExcludesPurlNamespace(purlType string) bool {
+func NameExcludesPurlNamespace(purlType string) bool {
 	switch purlType {
 	case packageurl.TypeAlpine,
 		packageurl.TypeAlpm,
--- a/syft/format/internal/cyclonedxutil/helpers/author.go
+++ b/syft/format/internal/cyclonedxutil/helpers/author.go
@ -31,7 +31,7 @@ func encodeAuthor(p pkg.Package) string {
 	return ""
 }
-func decodeAuthor(author string, metadata interface{}) {
+func decodeAuthor(author string, metadata any) {
 	switch meta := metadata.(type) {
 	case *pkg.NpmPackage:
 		meta.Author = author
--- a/syft/format/internal/cyclonedxutil/helpers/component.go
+++ b/syft/format/internal/cyclonedxutil/helpers/component.go
@ -165,6 +165,7 @@ func getPURL(c *cyclonedx.Component, ty pkg.Type) string {
 	return purl.ToString()
 }
 //nolint:gocognit
 func setPackageName(p *pkg.Package, c *cyclonedx.Component) {
 	name := c.Name
 	if c.Group != "" {
@ -195,14 +196,16 @@ func setPackageName(p *pkg.Package, c *cyclonedx.Component) {
 				}
 			}
 		default:
 			if !internal.NameExcludesPurlNamespace(p.Type.PackageURLType()) {
 				name = fmt.Sprintf("%s/%s", c.Group, name)
 			}
 		}
 	}
 	p.Name = name
 }
 func decodeLocations(vals map[string]string) file.LocationSet {
-	v := Decode(reflect.TypeOf([]file.Location{}), vals, "syft:location", CycloneDXFields)
+	v := Decode(reflect.TypeFor[[]file.Location](), vals, "syft:location", CycloneDXFields)
 	out, ok := v.([]file.Location)
 	if !ok {
 		out = nil
@ -210,7 +213,7 @@ func decodeLocations(vals map[string]string) file.LocationSet {
 	return file.NewLocationSet(out...)
 }
-func decodePackageMetadata(vals map[string]string, c *cyclonedx.Component, typeName string) interface{} {
+func decodePackageMetadata(vals map[string]string, c *cyclonedx.Component, typeName string) any {
 	if typeName != "" && c.Properties != nil {
 		metadataType := packagemetadata.ReflectTypeFromJSONName(typeName)
 		if metadataType == nil {
--- a/syft/format/internal/cyclonedxutil/helpers/component_test.go
+++ b/syft/format/internal/cyclonedxutil/helpers/component_test.go
@ -384,6 +384,65 @@ func Test_decodeComponent(t *testing.T) {
 	}
 }
 func Test_setPackageName(t *testing.T) {
 	tests := []struct {
 		name     string
 		pkg      pkg.Package
 		comp     cyclonedx.Component
 		wantName string
 	}{
 		{
 			name:     "debian group excluded from name",
 			pkg:      pkg.Package{Type: pkg.DebPkg},
 			comp:     cyclonedx.Component{Name: "wget", Group: "debian"},
 			wantName: "wget",
 		},
 		{
 			name:     "rpm group excluded from name",
 			pkg:      pkg.Package{Type: pkg.RpmPkg},
 			comp:     cyclonedx.Component{Name: "acl", Group: "centos"},
 			wantName: "acl",
 		},
 		{
 			name:     "apk group excluded from name",
 			pkg:      pkg.Package{Type: pkg.ApkPkg},
 			comp:     cyclonedx.Component{Name: "musl", Group: "alpine"},
 			wantName: "musl",
 		},
 		{
 			name:     "npm group included in name",
 			pkg:      pkg.Package{Type: pkg.NpmPkg},
 			comp:     cyclonedx.Component{Name: "node", Group: "@types"},
 			wantName: "@types/node",
 		},
 		{
 			name:     "go module group included in name",
 			pkg:      pkg.Package{Type: pkg.GoModulePkg},
 			comp:     cyclonedx.Component{Name: "net", Group: "golang.org/x"},
 			wantName: "golang.org/x/net",
 		},
 		{
 			name:     "no group leaves name unchanged",
 			pkg:      pkg.Package{Type: pkg.DebPkg},
 			comp:     cyclonedx.Component{Name: "wget"},
 			wantName: "wget",
 		},
 		{
 			name:     "java group stored in metadata not name",
 			pkg:      pkg.Package{Type: pkg.JavaPkg},
 			comp:     cyclonedx.Component{Name: "log4j", Group: "org.apache.logging.log4j"},
 			wantName: "log4j",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			p := tt.pkg
 			setPackageName(&p, &tt.comp)
 			assert.Equal(t, tt.wantName, p.Name)
 		})
 	}
 }
 func TestGetPURL(t *testing.T) {
 	tests := []struct {
 		name      string
--- a/syft/format/internal/cyclonedxutil/helpers/decoder.go
+++ b/syft/format/internal/cyclonedxutil/helpers/decoder.go
@ -26,7 +26,7 @@ func ToSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) {
 		Descriptor: extractDescriptor(bom.Metadata),
 	}
-	idMap := make(map[string]interface{})
+	idMap := make(map[string]any)
 	if err := collectBomPackages(bom, s, idMap); err != nil {
 		return nil, err
@ -37,7 +37,7 @@ func ToSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) {
 	return s, nil
 }
-func collectBomPackages(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]interface{}) error {
+func collectBomPackages(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]any) error {
 	componentsPresent := false
 	if bom.Components != nil {
 		for i := range *bom.Components {
@ -58,7 +58,7 @@ func collectBomPackages(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]inter
 	return nil
 }
-func collectPackages(component *cyclonedx.Component, s *sbom.SBOM, idMap map[string]interface{}) {
+func collectPackages(component *cyclonedx.Component, s *sbom.SBOM, idMap map[string]any) {
 	switch component.Type {
 	case cyclonedx.ComponentTypeOS:
 	case cyclonedx.ComponentTypeContainer:
@ -168,7 +168,7 @@ func getPropertyValue(component *cyclonedx.Component, name string) string {
 	return ""
 }
-func collectRelationships(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]interface{}) {
+func collectRelationships(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]any) {
 	if bom.Dependencies == nil {
 		return
 	}
--- a/syft/format/internal/cyclonedxutil/helpers/description.go
+++ b/syft/format/internal/cyclonedxutil/helpers/description.go
@ -14,7 +14,7 @@ func encodeDescription(p pkg.Package) string {
 	return ""
 }
-func decodeDescription(description string, metadata interface{}) {
+func decodeDescription(description string, metadata any) {
 	switch meta := metadata.(type) {
 	case *pkg.ApkDBEntry:
 		meta.Description = description
--- a/syft/format/internal/cyclonedxutil/helpers/external_references.go
+++ b/syft/format/internal/cyclonedxutil/helpers/external_references.go
@ -100,7 +100,7 @@ func toCycloneDXAlgorithm(algorithm string) cyclonedx.HashAlgorithm {
 	return validMap[strings.ToLower(algorithm)]
 }
-func decodeExternalReferences(c *cyclonedx.Component, metadata interface{}) {
+func decodeExternalReferences(c *cyclonedx.Component, metadata any) {
 	if c.ExternalReferences == nil {
 		return
 	}
--- a/syft/format/internal/cyclonedxutil/helpers/group.go
+++ b/syft/format/internal/cyclonedxutil/helpers/group.go
@ -11,7 +11,7 @@ func encodeGroup(p pkg.Package) string {
 	return ""
 }
-func decodeGroup(group string, metadata interface{}) {
+func decodeGroup(group string, metadata any) {
 	if meta, ok := metadata.(*pkg.JavaArchive); ok {
 		if meta.PomProperties == nil {
 			meta.PomProperties = &pkg.JavaPomProperties{}
--- a/syft/format/internal/cyclonedxutil/helpers/properties.go
+++ b/syft/format/internal/cyclonedxutil/helpers/properties.go
@ -10,7 +10,7 @@ var (
 	CycloneDXFields = RequiredTag("cyclonedx")
 )
-func EncodeProperties(obj interface{}, prefix string) (out []cyclonedx.Property) {
+func EncodeProperties(obj any, prefix string) (out []cyclonedx.Property) {
 	for _, p := range Sorted(Encode(obj, prefix, CycloneDXFields)) {
 		out = append(out, cyclonedx.Property{
 			Name:  p.Name,
@ -23,8 +23,8 @@ func EncodeProperties(obj interface{}, prefix string) (out []cyclonedx.Property)
 func decodeProperties(properties []cyclonedx.Property, prefix string) map[string]string {
 	labels := make(map[string]string)
 	for _, property := range properties {
-		if strings.HasPrefix(property.Name, prefix) {
+		if after, ok := strings.CutPrefix(property.Name, prefix); ok {
-			labelName := strings.TrimPrefix(property.Name, prefix)
+			labelName := after
 			labels[labelName] = property.Value
 		}
 	}
--- a/Show More
+++ b/Show More